Freeradius 2.2.5 Access by SSID

Matthew Newton mcn at freeradius.org
Tue Aug 8 18:33:51 CEST 2017


On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:
> Hi, I want to add that in Freerdaius debug mode, I can see lines like
> this
> coming from the WiFi clients:
> 
> Called-Station-Id = "44:05:d9:0e:dd:40:SSID1"
> Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
> 
> For each SSID, I need to match a different AD group with the
> corresponding
> users.

In version 3 you can add the "rewrite_called_station_id" policy to
sites-enabled/default, and that will split out the SSID into the
Called-Station-SSID attribute for you. Add it before the call to
'files' so the attribute is there ready for that to use.

You can do it in version 2 as well, but that's obsolete and I can't
remember if the policy is already there. I don't think it is. So you'd
have to write the unlang yourself, or copy the policy over from v3.

Then you can update your users file to compare the SSID as well, e.g.
something like

bob	Called-Station-SSID != 'SSID1', Auth-Type := Reject

Or if you are already using the users file (sounds like you are) then
you might want to add a second instantiation of the files module with a
different file other than 'users' so the SSID check is completely
separate.

You could do it directly in unlang if there are a small number of
users. Anything that compares the User-Name to Called-Station-SSID will
work.

-- 
Matthew



More information about the Freeradius-Users mailing list