Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can I give a FreeRadius User only access to ONE CP in Multi CP Setup?

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cat1510
      last edited by

      Hi folks,

      I got 2 networks and give every segement an own CP.
      Also I installed and created a user 'a' and 'b' in FreeRadius.
      Everything works fine so far.

      The issue I can't solve is that user 'b' should only use the 2. network
      But the user 'a' and 'b' can log in CP @ any network.
      There is no way (I found) to tell user 'b' can only use the 2. network.

      Someone can give me a hint? Link?
      Or did I found a bug?
      I didn't found a szenario like this somewhere.

      THX.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        didn't test that myself but I think it could be done with some additional attributes freeradius should check:

        When user "b" should be allowed to only connect from CP2 - which has IP address 192.168.10.1 - then you should add this as a "check-item" on this user:

        
        NAS-IP-Address == 192.168.10.1
        
        

        So if the authentication request comes from CP2 which has IP address 192.168.10.1 then the check is true and the user "b" can access. If the user tries to authenticate from a different CP with different IP address of the CP the user "b" cannot connect.

        Users who should be able to connect from both CP should not have this additional check-item.

        If you have users which should be able to authenticate from different IP-Addresses then this link could be helpful:
        http://freeradius.1045715.n5.nabble.com/Logical-OR-with-Check-Attributes-td3265998.html

        Check the operator  =~

        Hope this will help you!

        1 Reply Last reply Reply Quote 0
        • C
          cat1510
          last edited by

          Hallo Nachtfalke,

          Du hast mich gerettet!  ;D

          THNX for hitting me into the right direction.
          I found a BUG in pf-sense too.

          If a user is only accepted in one CP,  u should use: NAS-IP-Address == 10.1.18.1
          If a user is accepted in different CPs, u should use: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"

          The solution:

          Look to Attachment pics.

          IMPORTANT: If you need to use a REGEXP for more than one network, you HAVE to go to console and correct the users file manually!

          in pfsense it looks like:                          NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"
          but saved in file after you pressed save:  NAS-IP-Address =~ "10.1.18.1  10.8.18.1"

          The | is missing in the REGEXP.

          Than you should go to console and correct the file entry manually:

          vi /usr/pbi/freeradius-amd64/etc/raddb/users

          "penthouse" MD5-Password := "098f6bcd4621d373cade4e832627b4f6", NAS-IP-Address =~ "10.1.18.1**|**10.8.18.1"

          After that u restart the radius service and everything is fine. :)

          Hope this helps other people too.

          user1.JPG
          user1.JPG_thumb
          user2.JPG
          user2.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            It's not a bug - it's a feature ;-)

            This problem is not pfsense related, it is package related. Like the explanation below the text box says the vertical bar is for making a new line. If you do not need this in your environment for CHECK-ITEM then just modify

            /usr/local/pkg/freeradius.inc
            

            beginning on line 455 till 484

            Replace the following:

            explode("|",
            

            with something else you want like:

            explode(";",
            

            or

            explode("\n",
            

            Then you should be able to make all changes from GUI - because if you do any change on the GUI on any user the complete users file will be re-written and if you have 100 users you need to modify this using vi 100 times.

            Viel Erfolg :-)

            1 Reply Last reply Reply Quote 0
            • C
              cat1510
              last edited by

              Wow,

              danke.

              That is certainly correct, NOT a pfsense Bug. :)
              Really much thanks to share the information for the package programming.

              Nice weekend.

              CAT

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.