Freeradius Restrict User Auth Request Based on VLAN
Nathan Ward
lists+freeradius at daork.net
Wed Jan 17 12:07:09 CET 2018
Hi,
> On 17/01/2018, at 11:58 PM, JAHANZAIB SYED <aacable at hotmail.com> wrote:
>
> Ok I added this in RADCHECK table.
>
> NAS-Port-Id == VLAN2
>
>
> & it seems to be working fine.
Awesome !
> Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
>
>
> ------------------------
>
>
> Example of one module I have that checks for Invalid MAC.
>
>
> checkval{
> reject = 1
> }
> if(reject){
> ok
> update reply {
> Reply-Message := "Incorrect MAC!"
> Framed-Pool := "invalid-mac-address-pool"
> Mikrotik-Rate-Limit := "1k/1k"
> }
> }
>
>
> I want something similar for the Incorrect VLAN users.
>
> is it possible?
Not really, doing it the way you are now with radcheck - it doesn’t tell you which didn’t match, it tells you that there were no matches for all of the conditions.
2 options off the top of my head (others may have better ideas):
1) Use radcheck, if it rejects, use sql xlat to check if there is a user match but not a NAS-Port-Id match.
2) Instead of adding NAS-Port-Id to radcheck, if it is successful use sql xlat to check a different table which has a Username and NAS-Port-Id columns, and validate that the NAS-Port-Id matches that username, and then you know that username auth was successful but “dealer” auth was / was not.
(1) is probably faster (1 query for successful auth), (2) is probably conceptually easier to understand for people in the future who have to debug this.
--
Nathan Ward
More information about the Freeradius-Users
mailing list