Freeradius Restrict User Auth Request Based on VLAN

Alan DeKok aland at deployingradius.com
Wed Jan 17 10:15:44 CET 2018


On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable at hotmail.com> wrote:
> 
> We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
> 
> Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
> 
> Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.

  Sure.  You need to update your DB schema and queries tho.

- put the NASes into groups (dealer-A, dealer-B, etc.)
- ensure that the users are somehow associated with different dealers
- on login, look up dealer of NAS (call this NAS-dealer)
- on login, lookup dealer of user (call this User-Dealer)
- if User-dealer != NAS-dealer, then reject

  More details can't be given, because your question is very high level.

  Alan DeKok.




More information about the Freeradius-Users mailing list