allow WLAN-access in certain offices only

Alan DeKok aland at
Tue Apr 20 21:46:01 CEST 2021

On Apr 20, 2021, at 1:04 PM, radius.pkoch at wrote:
> I have just compiled Freeradius from source and red some of the documentation.
> WPA2-EAP works with username bob and password hello.
> radiusd -X shows no errors.

  That's good.

> Now here's what I would like to achive and maybe some of you can point me
> into the right direction:
> We have equipped all of our offices (approx 100) with seperate WLAN access points.
> Every employee should be able to access the access point in its own office and
> in some of our conference rooms. Every employee owns an OAuth token that
> generates a 6digit one time password.

  That's nice, but you really don't want to use OAuth with Wifi.  I don't even know how that would work.

  i.e. WiFi is bad enough that devices end up re-authenticating multiple times a day.  And you definitely don't want users to be asked 5-10 times a day for a new one-time password.

  Just use a password.  Or, use EAP-TLS and client certificates.

> Whenever a user tries to access a WLAN access point with his username
> and his one time password the following should happen:

  Scratch all that.

  First, you should figure out how WiFi works.  Then, figure out if your suggested process fits into that.

  If it doesn't, throw away your requirements about what "should happen", and go with something which is realistic.

> 1) if the password is wrong access should be denied

  So... password checking like normal.  But if this is for passwords which change multiple times a day, then it just won't work.

> 2) if the access point is not located in the office of the employee or in one
> of the conference rooms of the employees department access should be denied

  So... check the source AP to see if it's allowed.  How do you check that?  Read the debug output to see what each AP sends, and then write rules to match those.

> Our central oracle database has information about the ip-address and location
> of every access point and the office rooms of every employee.

  Location is irrelevant.  The only thing that matters is what's in the RADIUS packets, and what's shown in the debug logs.

  Does the term "Conference room 5" appear in the RADIUS packet?  No?   Then you'll have to figure out some other way which access point is which.  Maybe by looking at host names (if they show up in the RADIUS packet), or IP addresses (if they should up in the RADIUS packet), or by MAC (well, you get the idea by now).

> My first idea was to write a php-script (because that's the scripting language
> I'm familiar with) and use that via rlm_exec. I will do this as a proof of concept.

  To do... what?  You haven't said.

> Since neither I nor any of my colleagues have perl-experience I'd rather write
> a new module in C than use perl.
> Is there a module that will send all parameters to a unix or inet socket and
> receives the results from that socket? How abount rlm_socket?

  To do... what?

  How is any token going to be checked?  REST API?  What?

  Your last comments here are really "how do I write a script to do stuff".  The only answer is "I dunno, it depends on what stuff you want to do".

  Alan DeKok.

More information about the Freeradius-Users mailing list