Freeradius limit access
-
Hi all,
I'm looking to use Freeradius inside pfsense to authenticate and control what my users are able to do. Specially can they access VPN and which WiFi network are they able to join.
I'm using the "CHECK-ITEM" entry for each user with
Called-Station-ID =~ "^/.*:(SSID)$/"
which will limit the user to just authenticate to the single WiFi network.
However I have some users who need to connect to multiple WiFi networks or indeed the OpenVPN.
I thought I should be able to use regex or to have multiple but it doesn't seem to work.
Called-Station-ID =~ "^/.*:(SSID|SSID2)$/"
In fact when I do this no authentication is allowed for the user.
Can someone help with the correct syntax to allow this?
Or suggest a different way to do it?
Thanks
--Guy -
@guyp said in Freeradius limit access:
Called-Station-ID =~ "^/.*:(SSID)$/"
Not an expert but have you tried the following in the check-items:-
Called-Station-ID =~ "^/.*:(SSID)$/" | Called-Station-ID =~ "^/.*:(SSID2)$/" -
@nogbadthebad said in Freeradius limit access:
@guyp said in Freeradius limit access:
Called-Station-ID =~ "^/.*:(SSID)$/"
Not an expert but have you tried the following in the check-items:-
Called-Station-ID =~ "^/.*:(SSID)$/" | Called-Station-ID =~ "^/.*:(SSID2)$/"Thanks for the suggestion, however it fails the syntax checker for FreeRadius.
Called-Station-ID =~
can only appear once in the user record. interestingly when viewing the configs when theirs a pipe | in the file it's not shown but replaced as a space. It is however still present on viewing the entry.
-
@guyp out of interest what APs are you using?
I'm using a Aruba InstantON AP22 and when I do a radsniff -x from pfSense I see the following:-
2022-07-02 14:03:28.814223 (15) Access-Request Id 231 igb0:172.16.1.10:62491 -> 172.16.0.1:1812 +0.306 User-Name = "andyk" NAS-IP-Address = 172.16.1.10 NAS-Port = 0 Service-Type = Framed-User Framed-MTU = 1100 State = 0x9b50fff09d58e64fe58868f9ea9473ee Called-Station-Id = "348a12ce2a38" Calling-Station-Id = "ac49db3cfbb7" NAS-Identifier = "ap-1" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800661900170303005b23ad935afdb6fa3d2010f07245dab210eb1a05ff6a15d7221376cd992ee28ba9ba6c4baffdeb5ecc9001c4a15fc127f82f4663cb1c1f0929fef974a9f6a44be73f4504fd7a18c1e2d3557c5b5d2ed13d9899602d2448c19aead4c2 Message-Authenticator = 0x436536d4e9c986bd4bc07cc7064aa503 Aruba-Essid-Name = "L-Space RADIUS" Authenticator-Field = 0x351c5e7dda7d4311fe202dd9d229e82fThe Called-Station-Id is the AP MAC address.
-
@nogbadthebad said in Freeradius limit access:
@guyp out of interest what APs are you using?
I'm using a Aruba InstantON AP22 and when I do a radsniff -x from pfSense I see the following:-
2022-07-02 14:03:28.814223 (15) Access-Request Id 231 igb0:172.16.1.10:62491 -> 172.16.0.1:1812 +0.306 User-Name = "andyk" NAS-IP-Address = 172.16.1.10 NAS-Port = 0 Service-Type = Framed-User Framed-MTU = 1100 State = 0x9b50fff09d58e64fe58868f9ea9473ee Called-Station-Id = "348a12ce2a38" Calling-Station-Id = "ac49db3cfbb7" NAS-Identifier = "ap-1" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800661900170303005b23ad935afdb6fa3d2010f07245dab210eb1a05ff6a15d7221376cd992ee28ba9ba6c4baffdeb5ecc9001c4a15fc127f82f4663cb1c1f0929fef974a9f6a44be73f4504fd7a18c1e2d3557c5b5d2ed13d9899602d2448c19aead4c2 Message-Authenticator = 0x436536d4e9c986bd4bc07cc7064aa503 Aruba-Essid-Name = "L-Space RADIUS" Authenticator-Field = 0x351c5e7dda7d4311fe202dd9d229e82fThe Called-Station-Id is the AP MAC address.
I'm using Ubiquity Access points.. and they send out the Mac address:SSID..
I've previously written my own Radius config to grab this and test against LDAP groups to see if the user is permitted to access that WiFi network. In this new site I don't have those options so trying to simplify it all. -
@guyp Maybe this can help you:
I'm using in a Nanohdif (LDAP-Group == "wifi_corp" && NAS-IP-Address == "192.168.199.3") { update { Simultaneous-Use := "1" control:Max-Daily-Session := "7200" } noop dailycounter } -
@mcury Thanks but this doesn't work in the users file. I think it's very restricted in what sort of entries can be made :(
