How can I give a FreeRadius User only access to ONE CP in Multi CP Setup?
I got 2 networks and give every segement an own CP.
Also I installed and created a user 'a' and 'b' in FreeRadius.
Everything works fine so far.
The issue I can't solve is that user 'b' should only use the 2. network
But the user 'a' and 'b' can log in CP @ any network.
There is no way (I found) to tell user 'b' can only use the 2. network.
Someone can give me a hint? Link?
Or did I found a bug?
I didn't found a szenario like this somewhere.
Nachtfalke last edited by
didn't test that myself but I think it could be done with some additional attributes freeradius should check:
When user "b" should be allowed to only connect from CP2 - which has IP address 192.168.10.1 - then you should add this as a "check-item" on this user:
NAS-IP-Address == 192.168.10.1
So if the authentication request comes from CP2 which has IP address 192.168.10.1 then the check is true and the user "b" can access. If the user tries to authenticate from a different CP with different IP address of the CP the user "b" cannot connect.
Users who should be able to connect from both CP should not have this additional check-item.
If you have users which should be able to authenticate from different IP-Addresses then this link could be helpful:
Check the operator =~
Hope this will help you!
Du hast mich gerettet! ;D
THNX for hitting me into the right direction.
I found a BUG in pf-sense too.
If a user is only accepted in one CP, u should use: NAS-IP-Address == 10.1.18.1
If a user is accepted in different CPs, u should use: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"
Look to Attachment pics.
IMPORTANT: If you need to use a REGEXP for more than one network, you HAVE to go to console and correct the users file manually!
in pfsense it looks like: NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"
but saved in file after you pressed save: NAS-IP-Address =~ "10.1.18.1 10.8.18.1"
The | is missing in the REGEXP.
Than you should go to console and correct the file entry manually:
"penthouse" MD5-Password := "098f6bcd4621d373cade4e832627b4f6", NAS-IP-Address =~ "10.1.18.1**|**10.8.18.1"
After that u restart the radius service and everything is fine. :)
Hope this helps other people too.
Nachtfalke last edited by
It's not a bug - it's a feature ;-)
This problem is not pfsense related, it is package related. Like the explanation below the text box says the vertical bar is for making a new line. If you do not need this in your environment for CHECK-ITEM then just modify
beginning on line 455 till 484
Replace the following:
with something else you want like:
Then you should be able to make all changes from GUI - because if you do any change on the GUI on any user the complete users file will be re-written and if you have 100 users you need to modify this using vi 100 times.
Viel Erfolg :-)
That is certainly correct, NOT a pfsense Bug. :)
Really much thanks to share the information for the package programming.