Guest mode with different passprhases

Hans-Christian Esperer hc at
Thu Jan 3 16:25:15 CET 2019

Thanks all for the replies.

For now, I've solved it like this:

There are unique usernames in addition to passphrases, matching guest[0-9]+

A simple perl script handles post-auth and when a guest[0-9]+ user is first
encountered, the timestamp+MAX_CONNECT_TIME is stored. Later, the timestamp is
compared to the current timestamp and if that greater than the stored max time,
the user is rejected, otherwise accepted.

I'm thinking rather than to reject the user, to assign them to a different VLAN
where a capture domain exists informing the user that their guest login has

I'll attach the script in case anyone is interested. It's the first time I use
perl, so it's probably less than optimal.

-------------- next part --------------
sub post_auth {
        my $gn = $RAD_REQUEST{'User-Name'};
        if ($RAD_REQUEST{'User-Name'} =~ /^[Gg][Aa][Ss][Tt][0-9]+$/) {
                my $filename = "/usr/local/etc/raddb/guests/guest_$gn.txt";
                my $currtime = time();
                my $maxtime = $currtime + 3600 * 8; # 8 hours
                if (open (my $fh, '<:encoding(UTF-8)', $filename)) {
                        while (my $row = <$fh>) {
                                $maxtime = $row;
                        close $fh;
                } else {
                        &radiusd::radlog(L_AUTH, "New guest user $gn");
                        open (my $wfh, '>:encoding(UTF-8)', $filename) or
                                die ("Unable to write to $filename");
                        print $wfh $maxtime;
                        close $wfh;
                if ($maxtime > time()) {
                        &radiusd::radlog(L_AUTH, "Accepting guest user $gn due $maxtime > $currtime");
                        return RLM_MODULE_OK;
                } else {
                        &radiusd::radlog(L_AUTH, "Rejecting guest user $gn due $maxtime < $currtime");
                        return RLM_MODULE_REJECT;
                #$RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";
        } else {
                &radiusd::radlog(L_AUTH, "User $gn is not a guest user. Allowing.");

        return RLM_MODULE_OK;

More information about the Freeradius-Users mailing list