Freeradius 2.2.5 Access by SSID

Alejandro Cabrera Obed aco1967 at gmail.com
Wed Aug 9 15:41:16 CEST 2017


Dear Matthew, thanks for yor response. Maybe I have to update from
Freeradius 2.x to 3.x, in order to have more benefits like the one I want.

After reading your explanation, I understand I have to edit the users file
with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type :=
Reject" for each user that have to access to the WiFi service...so If I
have 500 users, I will have a lot of work because I have to replicate all
the AD users in the Freeradius "users" file. These 500 users are in our
Active Directory service that Freeradius authenticate to.

So is there any manner to validate user / SSID against the AD in place of
the "users" local file????

Thanking in advance !!!

Alejandro

2017-08-08 13:33 GMT-03:00 Matthew Newton <mcn at freeradius.org>:

> On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:
> > Hi, I want to add that in Freerdaius debug mode, I can see lines like
> > this
> > coming from the WiFi clients:
> >
> > Called-Station-Id = "44:05:d9:0e:dd:40:SSID1"
> > Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
> >
> > For each SSID, I need to match a different AD group with the
> > corresponding
> > users.
>
> In version 3 you can add the "rewrite_called_station_id" policy to
> sites-enabled/default, and that will split out the SSID into the
> Called-Station-SSID attribute for you. Add it before the call to
> 'files' so the attribute is there ready for that to use.
>
> You can do it in version 2 as well, but that's obsolete and I can't
> remember if the policy is already there. I don't think it is. So you'd
> have to write the unlang yourself, or copy the policy over from v3.
>
> Then you can update your users file to compare the SSID as well, e.g.
> something like
>
> bob     Called-Station-SSID != 'SSID1', Auth-Type := Reject
>
> Or if you are already using the users file (sounds like you are) then
> you might want to add a second instantiation of the files module with a
> different file other than 'users' so the SSID check is completely
> separate.
>
> You could do it directly in unlang if there are a small number of
> users. Anything that compares the User-Name to Called-Station-SSID will
> work.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
 //  Alejandro   //


More information about the Freeradius-Users mailing list