v3.0.10: how to specify allowed SSID list in users file?
"František Hanzlík"
franta at hanzlici.cz
Sun Nov 13 09:38:15 CET 2016
I want authenticate WiFi users on freeradius-3.0.10. AP provides several
SSIDs and I want certain users to be able connect just to certain SSIDs.
Users are few, and I want for AAA use files module. My idea is use
notation something like this (in users file mods-config/files/authorize):
tom Cleartext-Password := "to", Wifi-Allowed = "SSID1,SSID2"
pepa Cleartext-Password := "pp", Wifi-Allowed = "SSID1"
petr Cleartext-Password := "pe", Wifi-Allowed = "SSID3"
and then test it in default server "authorize" section somewhere after
"files" module specification with unlang code something as:
switch &Called-Station-SSID {
case "SSID1" {
if (&control:Wifi-Allowed =~ /.*SSID1.*/ ) {
ok
} else {
reject
}
}
case "SSID2" {
if (&control:Wifi-Allowed =~ /.*SSID2.*/ ) {
ok
} else {
reject
}
}
}
Called-Station-SSID I've filled by calling rewrite_called_station_id at
beginnig of the "authorize" section (just after "filter_username"), this
part seems be fine.
Unfortunately, all my attempts ends unsuccessfully, mostly with syntax
error in 'users' file, or at run at 'if (&control:Wifi-Allowed ...' with
error
"ERROR: Failed retrieving values required to evaluate condition
".
Attribute "Wifi-Allowed" i tried declare in %{raddb}/dictionary or
%{raddb}/dictionary.local, both without success.
Is it even possible to carry out this way? What should be the correct
procedure?
I also tried another way, where I had additional file in form:
SSID1:user1,user3,user4
SSID2:user1
SSID3:user2
and parse it with slightly modified etc_group module and then check with
similar unlang code as above - and it work fine; but as a disadvantage
there must be two configuraton files.
I would have been happier if it was possible to have a user, its password
(or certificate - it's also possible?), and him allowed SSID in one
(perhaps "users") file.
TIA, Franta
More information about the Freeradius-Users
mailing list