limiting login for particular purpose

Matthew Newton mcn4 at leicester.ac.uk
Sun May 22 17:54:50 CEST 2016


On Sun, May 22, 2016 at 12:49:09AM +0200, dump at gmx.info wrote:
> I want to add a small administration page and I want to use radius via
> php too for authentication of the admin. But I want to ensure that the
> administration account can only be used for login into the
> administration section and not for login into the WiFi-net.
> 
> I don't want to use realms for this purpose. I thought using the
> Auth-Type directive in the radcheck or radgroupcheck table and
> forbidding EAP authentication could be a possibility. But I don't know
> how to arrange this.
> 
> Does somebody have some hints or another possibility for achieving the
> described above?

Look at the wireless auth packets and the web site auth packets.
Find some difference between them (missing Calling-Station-Id,
differnet NAS-IP-Address, Service-Type etc) and either put
radcheck entries to reject the connection for those, or just use
unlang to reject in the case you don't want to allow access.

e.g.

if (&NAS-IP-Address != "10.11.12.13" && User-Name == "webadmin") {
  reject
}

http://freeradius.org/radiusd/man/unlang.html

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list