Separate users in two groups (staff and guests) in FreeRADIUS 3
If you want to assign groups to users do it with check items which insert items into the &control
list, i.e.
guest1 Mygroup := 'guests', Cleartext-Password := 'password1'
staff1 Mygroup := 'staff', Cleartext-Password := 'kdjsfhksf'
and then
if ((&control:MyGroup == 'guests') && (&Called-Station-SSID == 'STAFF')) {
Related videos on Youtube
jamarju
Updated on September 18, 2022Comments
-
jamarju almost 2 years
I have a FreeRADIUS (3.0.15) server for WPA authentication (PEAP + MSCHAPv2) and everything works out of the box even though it feels like it would take a lifetime of study in an enclosed monastery to master every bit of the configuration.
I have my users in the
users
file and I would like to keep it that way (versus sql or ldap) because I like the convenience of editing users with a simple text editor.What I'm trying to accomplish:
I have two SSIDs (
staff
andguests
) and I would like to separate my users in two groups such that a guest user is rejected if they try to authenticate on thestaff
SSID.What I have so far:
In my
users
file:DEFAULT MyGroup := 'guests', Fall-Through := Yes # Guest users guest1 Cleartext-Password := 'password1' # End of guest users DEFAULT MyGroup := 'staff', Fall-Through := Yes # Staff users staff1 Cleartext-Password := 'kdjsfhksf' # End of staff users
My hope is that, after parsing the file, the
reply:MyGroup
attribute hasstaff
orguest
depending on what user matched the request.My
dictionary
file has this:ATTRIBUTE MyGroup 3000 string
And my
default
site has this in theauthorize
group, right after thefiles
module. Therewrite_called_station_id
creates a new attributeCalled-Station-SSID
, which I use along theMyGroup
attr created by thefiles
mod to try and filter the users:# get SSID from Called-Station-Id rewrite_called_station_id # check guest connecting to staff SSID and reject if so if (&MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') { reject }
I also tried this:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
But in any case I get the following error:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') { ERROR: Failed retrieving values required to evaluate condition
At this point I have no clue what's going on and how to fix it.
-
jamarju almost 7 yearsAha! That's the missing piece I was looking for! You are my hero, thanks!!