multi ssid use multi radcheck
Brian Candler
b.candler at pobox.com
Thu Mar 23 09:43:26 CET 2017
On 23/03/2017 05:34, gh.li at microshield.com.cn wrote:
> I have extented radcheck tables with field user_ssid,so the records like:
>
> and change the authorize_check_query statement to:
> "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
>
> but I donot get the correct sql statement:
> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id
Are you sure the incoming request contains an "Aruba_Essid_Name"
attribute? According to the dictionary I have here, it should have
dashes and not underscores:
share/dictionary.aruba:ATTRIBUTE Aruba-Essid-Name 5 string
However, there's a better way to do what you're doing: separate
authentication (who you are) from authorization (what you are allowed to
do).
In the sql tables, you can do this using groups.
(1) Make each of your employee accounts members of an 'employee' group
(insert into the usergroup_table which is by default called "radusergroup")
(2) Add your authorization rules into unlang, in a policy entry called
from your authorize{} or post-auth{} section
wireless_authz {
if (&Aruba-Essid-Name == "SSID-EMP" && not (&SQL-Group[*] ==
'employee')) {
reject
}
}
(It might be possible to hack something together using the radgroupcheck
table, but the unlang approach is simple and explicit)
HTH,
Brian.
More information about the Freeradius-Users
mailing list