Freeradius 2.2.5 Access by SSID

Wed Aug 9 17:57:16 CEST 2017

Matthew, thanks a lot for your support.

According to your response, I see I have to configure the
/etc/freeradius/modules/ldap file with my AD parameteres (IP, port,
user/pass for query, etc).

After that, please can you clarify this points?

1) Do I have to add a new attribute in the AD for each user, with a SSID
field in order to check it through LDAP lookup ?

2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and
!(Ldap-Group == "group-ssid-one")) {reject}" sentence ?

3) What do I have to fill the Ldap-group attribute in my users file, If I
want to check SSID attribute and after that compare it with the SSID coming
into "Called-id-station"???

Regards!!!

2017-08-09 11:01 GMT-03:00 Matthew Newton <mcn at freeradius.org>:

> On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
> > Dear Matthew, thanks for yor response. Maybe I have to update from
> > Freeradius 2.x to 3.x, in order to have more benefits like the one I
> > want.
>
> You don't need to for what you want to do, but you should do so in the
> long run. There isn't much interest here in version 2 any more, it's
> end of life. Version 4 is in the works, and version 3 has been out for
> nearly four years now.
>
> > After reading your explanation, I understand I have to edit the users
> > file
> > with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type
> > :=
> > Reject" for each user that have to access to the WiFi service...so If
> > I
> > have 500 users, I will have a lot of work because I have to replicate
> > all
> > the AD users in the Freeradius "users" file. These 500 users are in
> > our
> > Active Directory service that Freeradius authenticate to.
>
> OK, I missed the bit where you said AD...
>
> > So is there any manner to validate user / SSID against the AD in
> > place of
> > the "users" local file????
>
> Configure the ldap module to do group lookups against AD. If you add
> people into AD groups, let's say one per SSID, then you could look up
> the group based on the SSID they are trying to join.
>
> See the LDAP documentation on how to use the Ldap-Group virtual
> attribute, e.g.
>
> http://wiki.freeradius.org/modules/Rlm_ldap#group-support
>
> Then compare this to the SSID. Depending on how many SSIDs you have you
> might want to do a files lookup to get the group name from the SSID, or
> just hardcode it in unlang. Along the lines of
>
> if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-
> one")) {
>   reject
> }
>
> etc.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

-- 
 //  Alejandro   //