Freeradius Restrict User Auth Request Based on VLAN
aacable at hotmail.com
Wed Jan 17 10:25:44 CET 2018
What if we have only single NAS?
All users are pppoe base and connects to single main NAS.
From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, January 17, 2018 2:15 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN
On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable at hotmail.com> wrote:
> We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
> Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
> Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Sure. You need to update your DB schema and queries tho.
- put the NASes into groups (dealer-A, dealer-B, etc.)
- ensure that the users are somehow associated with different dealers
- on login, look up dealer of NAS (call this NAS-dealer)
- on login, lookup dealer of user (call this User-Dealer)
- if User-dealer != NAS-dealer, then reject
More details can't be given, because your question is very high level.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users