Freeradius 2.2.5 Access by SSID

[Matthew Newton]

On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
> Dear Matthew, thanks for yor response. Maybe I have to update from
> Freeradius 2.x to 3.x, in order to have more benefits like the one I
> want.

You don't need to for what you want to do, but you should do so in the
long run. There isn't much interest here in version 2 any more, it's
end of life. Version 4 is in the works, and version 3 has been out for
nearly four years now.

> After reading your explanation, I understand I have to edit the users
> file
> with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type
> :=
> Reject" for each user that have to access to the WiFi service...so If
> I
> have 500 users, I will have a lot of work because I have to replicate
> all
> the AD users in the Freeradius "users" file. These 500 users are in
> our
> Active Directory service that Freeradius authenticate to.

OK, I missed the bit where you said AD...

> So is there any manner to validate user / SSID against the AD in
> place of
> the "users" local file????

Configure the ldap module to do group lookups against AD. If you add
people into AD groups, let's say one per SSID, then you could look up
the group based on the SSID they are trying to join.

See the LDAP documentation on how to use the Ldap-Group virtual
attribute, e.g.

http://wiki.freeradius.org/modules/Rlm_ldap#group-support

Then compare this to the SSID. Depending on how many SSIDs you have you
might want to do a files lookup to get the group name from the SSID, or
just hardcode it in unlang. Along the lines of

if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-
one")) {
  reject
}

etc.

-- 
Matthew