How can I give a FreeRadius User only access to ONE CP in Multi CP Setup?



  • Hi folks,

    I got 2 networks and give every segement an own CP.
    Also I installed and created a user 'a' and 'b' in FreeRadius.
    Everything works fine so far.

    The issue I can't solve is that user 'b' should only use the 2. network
    But the user 'a' and 'b' can log in CP @ any network.
    There is no way (I found) to tell user 'b' can only use the 2. network.

    Someone can give me a hint? Link?
    Or did I found a bug?
    I didn't found a szenario like this somewhere.

    THX.



  • Hi,

    didn't test that myself but I think it could be done with some additional attributes freeradius should check:

    When user "b" should be allowed to only connect from CP2 - which has IP address 192.168.10.1 - then you should add this as a "check-item" on this user:

    
    NAS-IP-Address == 192.168.10.1
    
    

    So if the authentication request comes from CP2 which has IP address 192.168.10.1 then the check is true and the user "b" can access. If the user tries to authenticate from a different CP with different IP address of the CP the user "b" cannot connect.

    Users who should be able to connect from both CP should not have this additional check-item.

    If you have users which should be able to authenticate from different IP-Addresses then this link could be helpful:
    http://freeradius.1045715.n5.nabble.com/Logical-OR-with-Check-Attributes-td3265998.html

    Check the operator  =~

    Hope this will help you!



    Hallo Nachtfalke,

    Du hast mich gerettet!  ;D

    THNX for hitting me into the right direction.
    I found a BUG in pf-sense too.

    If a user is only accepted in one CP,  u should use: NAS-IP-Address == 10.1.18.1
    If a user is accepted in different CPs, u should use: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"

    The solution:

    Look to Attachment pics.

    IMPORTANT: If you need to use a REGEXP for more than one network, you HAVE to go to console and correct the users file manually!

    in pfsense it looks like:                          NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"
    but saved in file after you pressed save:  NAS-IP-Address =~ "10.1.18.1  10.8.18.1"

    The | is missing in the REGEXP.

    Than you should go to console and correct the file entry manually:

    vi /usr/pbi/freeradius-amd64/etc/raddb/users

    "penthouse" MD5-Password := "098f6bcd4621d373cade4e832627b4f6", NAS-IP-Address =~ "10.1.18.1**|**10.8.18.1"

    After that u restart the radius service and everything is fine. :)

    Hope this helps other people too.






  • It's not a bug - it's a feature ;-)

    This problem is not pfsense related, it is package related. Like the explanation below the text box says the vertical bar is for making a new line. If you do not need this in your environment for CHECK-ITEM then just modify

    /usr/local/pkg/freeradius.inc
    

    beginning on line 455 till 484

    Replace the following:

    explode("|",
    

    with something else you want like:

    explode(";",
    

    or

    explode("\n",
    

    Then you should be able to make all changes from GUI - because if you do any change on the GUI on any user the complete users file will be re-written and if you have 100 users you need to modify this using vi 100 times.

    Viel Erfolg :-)



  • Wow,

    danke.

    That is certainly correct, NOT a pfsense Bug. :)
    Really much thanks to share the information for the package programming.

    Nice weekend.

    CAT


Log in to reply