Restricting users to their own devices

[Alan DeKok]

On Apr 22, 2019, at 12:10 PM, Sudheer S <sudheer at techchorus.net> wrote:
> 
> I am using Freeraidius and I want to restrict users to their own devices.
> 
> I have inserted the Mac addresses of the users in radcheck table with the attribute Calling-Station-Id. Here's an example:
> 
> SELECT * FROM radcheck;
>   id   |  username  |     attribute      | op |    value
> -------+------------+--------------------+----+--------------
>  23175 | testuser01 | Cleartext-Password | := | password
>  23177 | testuser01 | Calling-Station-Id | := | aabbccddeefa
>  23178 | testuser01 | Calling-Station-Id | := | aabbccddeeff
> 
> In this case, the user testuser01 has two devices. aabbccddeefa and aabbccddeeff are their respective mac addresses.

  No.

  Read the Wiki for rlm_sql to see how it works.  You're using the ":=" operator, which means you're *setting* the Calling-Station-Id, not *checking* it.

> In the authorize section, I have this snippet:
> 
> if (Calling-Station-Id != "%{sql: SELECT value FROM radcheck WHERE username='%{User-Name}' AND value='%{Calling-Station-Id}'}") {

  If you have custom queries, then you should use a custom schema.  Using the standard schema to do non-standard things is just bad.

>         reject
>         update reply {
>          Reply-Message = "Unauthorized device"
>         }
>     }
> 
> This setup works.
> 
> I was wondering whether this is an acceptable way to restrict users to their own devices.
> 
> Initially, I assumed Freeradius would restrict the users based on Calling-Station-Id in radcheck table. But when I tested, my assumption was wrong.

  Yes, the server works as documented.  And this *is* documented.

> Therefore, I put up the unlang. Please advise on best practices to handle such requirements.

  Create a custom table for custom queries.

  Alan DeKok.