How can I give a FreeRadius User only access to ONE CP in Multi CP Setup?
-
Hi folks,
I got 2 networks and give every segement an own CP.
Also I installed and created a user 'a' and 'b' in FreeRadius.
Everything works fine so far.The issue I can't solve is that user 'b' should only use the 2. network
But the user 'a' and 'b' can log in CP @ any network.
There is no way (I found) to tell user 'b' can only use the 2. network.Someone can give me a hint? Link?
Or did I found a bug?
I didn't found a szenario like this somewhere.THX.
-
Hi,
didn't test that myself but I think it could be done with some additional attributes freeradius should check:
When user "b" should be allowed to only connect from CP2 - which has IP address 192.168.10.1 - then you should add this as a "check-item" on this user:
NAS-IP-Address == 192.168.10.1So if the authentication request comes from CP2 which has IP address 192.168.10.1 then the check is true and the user "b" can access. If the user tries to authenticate from a different CP with different IP address of the CP the user "b" cannot connect.
Users who should be able to connect from both CP should not have this additional check-item.
If you have users which should be able to authenticate from different IP-Addresses then this link could be helpful:
http://freeradius.1045715.n5.nabble.com/Logical-OR-with-Check-Attributes-td3265998.htmlCheck the operator =~
Hope this will help you!
-
Hallo Nachtfalke,
Du hast mich gerettet! ;D
THNX for hitting me into the right direction.
I found a BUG in pf-sense too.If a user is only accepted in one CP, u should use: NAS-IP-Address == 10.1.18.1
If a user is accepted in different CPs, u should use: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"The solution:
Look to Attachment pics.
IMPORTANT: If you need to use a REGEXP for more than one network, you HAVE to go to console and correct the users file manually!
in pfsense it looks like: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"
but saved in file after you pressed save: NAS-IP-Address =~ "10.1.18.1 10.8.18.1"The | is missing in the REGEXP.
Than you should go to console and correct the file entry manually:
vi /usr/pbi/freeradius-amd64/etc/raddb/users
"penthouse" MD5-Password := "098f6bcd4621d373cade4e832627b4f6", NAS-IP-Address =~ "10.1.18.1**|**10.8.18.1"
After that u restart the radius service and everything is fine. :)
Hope this helps other people too.
-
It's not a bug - it's a feature ;-)
This problem is not pfsense related, it is package related. Like the explanation below the text box says the vertical bar is for making a new line. If you do not need this in your environment for CHECK-ITEM then just modify
/usr/local/pkg/freeradius.incbeginning on line 455 till 484
Replace the following:
explode("|",with something else you want like:
explode(";",or
explode("\n",Then you should be able to make all changes from GUI - because if you do any change on the GUI on any user the complete users file will be re-written and if you have 100 users you need to modify this using vi 100 times.
Viel Erfolg :-)
-
Wow,
danke.
That is certainly correct, NOT a pfsense Bug. :)
Really much thanks to share the information for the package programming.Nice weekend.
CAT