Freeradius Restrict User Auth Request Based on VLAN

JAHANZAIB SYED aacable at hotmail.com
Wed Jan 17 12:47:37 CET 2018 

Respected Nathan Ward,


I just tested following & worked ok,


if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
  update reply {
                Reply-Message = 'You are not allowed to connect from this VLAN'
    }
update control {
Auth-Type := "Reject"
}
}

Any suggestions to improve this? is this approach OK?


can I make module for it ? and based on return result , take action? in checkval/expiration modules?



________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com at lists.freeradius.org> on behalf of Nathan Ward <lists+freeradius at daork.net>
Sent: Wednesday, January 17, 2018 4:07 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN

Hi,

> On 17/01/2018, at 11:58 PM, JAHANZAIB SYED <aacable at hotmail.com> wrote:
>
> Ok I added this in RADCHECK table.
>
> NAS-Port-Id == VLAN2
>
>
> & it seems to be working fine.

Awesome !

> Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
>
>
> ------------------------
>
>
> Example of one module I have that checks for Invalid MAC.
>
>
> checkval{
> reject = 1
> }
> if(reject){
> ok
> update reply {
> Reply-Message := "Incorrect MAC!"
> Framed-Pool := "invalid-mac-address-pool"
> Mikrotik-Rate-Limit := "1k/1k"
> }
> }
>
>
> I want something similar for the Incorrect VLAN users.
>
> is it possible?

Not really, doing it the way you are now with radcheck - it doesn’t tell you which didn’t match, it tells you that there were no matches for all of the conditions.

2 options off the top of my head (others may have better ideas):
1) Use radcheck, if it rejects, use sql xlat to check if there is a user match but not a NAS-Port-Id match.
2) Instead of adding NAS-Port-Id to radcheck, if it is successful use sql xlat to check a different table which has a Username and NAS-Port-Id columns, and validate that the NAS-Port-Id matches that username, and then you know that username auth was successful but “dealer” auth was / was not.

(1) is probably faster (1 query for successful auth), (2) is probably conceptually easier to understand for people in the future who have to debug this.

--
Nathan Ward


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support & Services<http://www.freeradius.org/list/users.html>
www.freeradius.org
The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.

More information about the Freeradius-Users mailing list