NAS-restricted users

Alan DeKok aland at deployingradius.com
Wed May 9 18:28:10 CEST 2018


On May 9, 2018, at 12:07 PM, brent s. <bts at square-r00t.net> wrote:
> I've been reading the docs and previous mailing posts, but I'm still a
> little unclear on some things and wanted to run something by the list
> first for a sanity check/to see if there's a better way of doing this.
> 
> I store NASes in MySQL and user accounts in LDAP (if necessary, this can
> be changed to store NASes in LDAP as well). I want to only allow users
> to authenticate if they're coming from a specific NAS associated with
> their account.
> 
> 1.) What would be the most appropriate attribute for this in LDAP?
> Accounts currently have the following objectClasses: account,
> extensibleObject, radiusprofile, simpleSecurityObject, top.

  The best way is to put the users into an LDAP group, and then do LDAP group checking.

> 2.) Can I even use the ${shortname} macro in a
> raddb/mods-available/ldap:ldap{user{filter=}} context? I would *assume*
> so since the NAS handling is done before the authentication handling,
> but assumptions are a bad thing to operate off of. The unlang
> documentation indicates I can't use unlang in this context, which is
> fine since I can just incorporate it into the LDAP filter, but I'm
> having some difficulty finding which macros are available where.

  The ${...} macros are expanded when the configuration file is read.  And are static after that.

> 3.) Is there a better way to do this (preferably without duplicating NAS
> entries)? Ideally without using huntgroups or the like, which is how I
> usually see this sort of functionality achieved.

  LDAP groups are by far and away the best solution.

  Alan DeKok.




More information about the Freeradius-Users mailing list