Best way to deny users not matching any groups in the SQL DB

Sylvain Munaut s.munaut at whatever-company.com
Thu Feb 18 16:03:13 CET 2016


Hi,


I'm using radius to control access to access points (several SSIDs)
using both PEAP and EAP-TLS, control a vpn server and also 802.1x
switch ports.

I have one group defined per service (so one per wifi SSID, one for
VPN, ...) that make sure that the correct returns attributes are in
the response.

What I'd like is that if either :
 - The user doesn't exist at all in the DB
 - Or the user exists but it didn't match any groups (because the user
doesn't have access to the particular service he's trying to use).

Then access should be denied.


What's the recommended way to achieve that result ?

All the ones I'm thinking of seem pretty messy so I must be missing
something, and given it's pretty easy to omit something and open a big
security hole, I'd rather have some expert opinion here.


Cheers,

   Sylvain Munaut


More information about the Freeradius-Users mailing list