Freeradius-Users Digest, Vol 178, Issue 5

Ted Hyde (RSI) thyde at
Mon Feb 3 19:41:53 CET 2020

   Greets - is there a way in unlang to test against attributes created
   after a 'files' module? Not sure if I'm asking that correctly, so
   here's what I'm trying to do:

   SSID: test1 -- EAP-TLS only with cert loaded on supplicant, no further
   auth (my usual setup)

   SSID: test2 -- EAP-TTLS with mac auth and user-name/pwd auth to
   restrict unauthorized Apple clients (like watches)

   SSID: test3 -- EAP-TTLS with only user-name/pwd for a guest access

   clients associating with test1 only associate with test 1 (since they
   are the only ones with a cert pre-installed and choose eap-tls mode to
   make it work, thus no user/pwd/mac filtering needed), usernames from
   'test2' shall be permitted to ONLY associate with test2, and usernames
   for test3 shall be permitted to ONLY associate with test3. IF a client
   attempts associating with test2 and has a valid username/pwd in
   eap-ttls mode, then its mac is checked against a separate file
   (auth_macs) for final permission.

   I've been testing this out with manually-typed entries in nested
   if/switch statements with success, however I would "like" to be able to
   set my own VSA in the users file (or authorize file, since this is FR3)
   and be able to test against it inside of my default virtual-server:

   >>>>>>>eg "files/authorize" (assuming "My-Allowed-SSID is in the
   dictionary correctly):

   myusername  Cleartext-Password := "mypassword"
           My-Allowed-SSID = "test2"

   >>>>>>>>>and in "mods-enabled/files" appending:

   files authorized_macs {
           key = "%{Calling-Station-ID}"
           usersfile = ${confdir}/authorized_macs

   >>>>>>>>>in "${confdir}/authorized_macs":

           Reply-Message = "Device authorized".

   >>>>>>>>>and in "sites-enabled/default":

   if (Eap-Message) {


       if (Cisco-AVPair[0] == "ssid=test2") {


           if (ok) {

                   <<< some method of calling files and testing if
   UserName matches Password and returning value of My-Allowed-SSID, and
   testing against = test2 >>>

                   if (<<<ok and My-Allowed-SSID == "test2">>>) {







   I will eventually roll this over to a postgres db, but want to "make it
   work in the simple mode first". So far I have not been able to figure
   out how I would reference an attribute after calling a lookup from
   "files" or similar; the docs I am reading (network... and point to module responses being mostly enumerated
   responses, not something that can contain dynamic responses and later

   Realizing this is a hugely complex question, and certainly not the only
   way to go about getting to the goal, this is also
   half-learn-more-about-FR than just a task for the office.

   Is there a way of having a separate "users" file (or files/authorize)
   that is queried after eap but does double-duty of the authorized_macs
   and username/pwd? The pwd for an account that has a restricted mac
   filter will be one-to-one (one mac, one u/p, one SSID combination).



More information about the Freeradius-Users mailing list