I have a FreeRADIUS (3.0.15) server for WPA authentication (PEAP + MSCHAPv2) and everything works out of the box even though it feels like it would take a lifetime of study in an enclosed monastery to master every bit of the configuration.
I have my users in the users file and I would like to keep it that way (versus sql or ldap) because I like the convenience of editing users with a simple text editor.
What I'm trying to accomplish:
I have two SSIDs (staff and guests) and I would like to separate my users in two groups such that a guest user is rejected if they try to authenticate on the staff SSID.
What I have so far:
In my users file:
DEFAULT
MyGroup := 'guests',
Fall-Through := Yes
# Guest users
guest1 Cleartext-Password := 'password1'
# End of guest users
DEFAULT
MyGroup := 'staff',
Fall-Through := Yes
# Staff users
staff1 Cleartext-Password := 'kdjsfhksf'
# End of staff users
My hope is that, after parsing the file, the reply:MyGroup attribute has staff or guest depending on what user matched the request.
My dictionary file has this:
ATTRIBUTE MyGroup 3000 string
And my default site has this in the authorize group, right after the files module. The rewrite_called_station_id creates a new attribute Called-Station-SSID, which I use along the MyGroup attr created by the files mod to try and filter the users:
# get SSID from Called-Station-Id
rewrite_called_station_id
# check guest connecting to staff SSID and reject if so
if (&MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
reject
}
I also tried this:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
But in any case I get the following error:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
ERROR: Failed retrieving values required to evaluate condition
At this point I have no clue what's going on and how to fix it.
Best Answer
If you want to assign groups to users do it with check items which insert items into the
&controllist, i.e.and then