How to Reject Anonymous Identity
Selahattin Cilek
selahattin_cilek at hotmail.com
Fri Nov 2 17:08:32 CET 2018
I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users. I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.
I already have a MySQL stored procedure named "is_login_allowed" that
checks if a user is in a locked state or not and I use it like this in
the *authorize* section of the *default*, *inner-tunnel-ttls*,
*inner-tunnel-peap* sites:
authorize{
if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) {
reject
}
}
Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.
What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?
authorize{
if("%{outer.request.UserName}" != "%{inner.request.UserName}"){
reject
}
}
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the Freeradius-Users
mailing list