Guest mode with different passprhases
Hans-Christian Esperer
hc at hcesperer.org
Thu Jan 3 16:25:15 CET 2019
Thanks all for the replies.
For now, I've solved it like this:
There are unique usernames in addition to passphrases, matching guest[0-9]+
A simple perl script handles post-auth and when a guest[0-9]+ user is first
encountered, the timestamp+MAX_CONNECT_TIME is stored. Later, the timestamp is
compared to the current timestamp and if that greater than the stored max time,
the user is rejected, otherwise accepted.
I'm thinking rather than to reject the user, to assign them to a different VLAN
where a capture domain exists informing the user that their guest login has
expired.
I'll attach the script in case anyone is interested. It's the first time I use
perl, so it's probably less than optimal.
Cheers,
HC
-------------- next part --------------
sub post_auth {
my $gn = $RAD_REQUEST{'User-Name'};
if ($RAD_REQUEST{'User-Name'} =~ /^[Gg][Aa][Ss][Tt][0-9]+$/) {
my $filename = "/usr/local/etc/raddb/guests/guest_$gn.txt";
my $currtime = time();
my $maxtime = $currtime + 3600 * 8; # 8 hours
if (open (my $fh, '<:encoding(UTF-8)', $filename)) {
while (my $row = <$fh>) {
chomp($row);
$maxtime = $row;
}
close $fh;
} else {
&radiusd::radlog(L_AUTH, "New guest user $gn");
open (my $wfh, '>:encoding(UTF-8)', $filename) or
die ("Unable to write to $filename");
print $wfh $maxtime;
close $wfh;
}
if ($maxtime > time()) {
&radiusd::radlog(L_AUTH, "Accepting guest user $gn due $maxtime > $currtime");
return RLM_MODULE_OK;
} else {
&radiusd::radlog(L_AUTH, "Rejecting guest user $gn due $maxtime < $currtime");
return RLM_MODULE_REJECT;
}
#$RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";
} else {
&radiusd::radlog(L_AUTH, "User $gn is not a guest user. Allowing.");
}
return RLM_MODULE_OK;
}
More information about the Freeradius-Users
mailing list