I have a FreeRADIUS (3.0.15) server for WPA authentication (PEAP + MSCHAPv2) and everything works out of the box even though it feels like it would take a lifetime of study in an enclosed monastery to master every bit of the configuration.
I have my users in the users
file and I would like to keep it that way (versus sql or ldap) because I like the convenience of editing users with a simple text editor.
What I'm trying to accomplish:
I have two SSIDs (staff
and guests
) and I would like to separate my users in two groups such that a guest user is rejected if they try to authenticate on the staff
SSID.
What I have so far:
In my users
file:
DEFAULT
MyGroup := 'guests',
Fall-Through := Yes
# Guest users
guest1 Cleartext-Password := 'password1'
# End of guest users
DEFAULT
MyGroup := 'staff',
Fall-Through := Yes
# Staff users
staff1 Cleartext-Password := 'kdjsfhksf'
# End of staff users
My hope is that, after parsing the file, the reply:MyGroup
attribute has staff
or guest
depending on what user matched the request.
My dictionary
file has this:
ATTRIBUTE MyGroup 3000 string
And my default
site has this in the authorize
group, right after the files
module. The rewrite_called_station_id
creates a new attribute Called-Station-SSID
, which I use along the MyGroup
attr created by the files
mod to try and filter the users:
# get SSID from Called-Station-Id
rewrite_called_station_id
# check guest connecting to staff SSID and reject if so
if (&MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
reject
}
I also tried this:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
But in any case I get the following error:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
ERROR: Failed retrieving values required to evaluate condition
At this point I have no clue what's going on and how to fix it.
Best Answer
If you want to assign groups to users do it with check items which insert items into the
&control
list, i.e.and then