Wifi – How to limit user’s access to a specific NAS

802.1freeradiusradiuswifiwpa

I'm new to RADIUS and I have just set up a very basic FreeRADIUS server for 802.1x (WPA). I use EAP, MySQL as backend with daloRADIUS as webGUI (for user management, mainly).

I got two WiFi networks, one private network and a guest network.
Now I want to specify users per NAS. So there are certain users that are only allowed to use the guest network and not the private network.

How do I do that? Is that even possible with FreeRADIUS? Because I can't seem to find any information about it. Is it maybe something weird, am I using RADIUS in a wrong manner?

Best Answer

Got it! The problem was that the NAS-Identifier attribute didn't get copied to the tunneled request by EAP. Setting "copy_request_to_tunnel" to "yes" fixed it :)

Now I can use the NAS-Identifier attribute as a check in the radcheck table.

Related Solutions

Certificate Authority – RADIUS/WPA

It works. Any argument ?

most likely the certificate is deleted by some application. Sometimes the certificate is not deleted, but rather archived. To verify, please run certmgr.msc and open the certificate snap-in. Then click Certificates->View->Options and select Archive Certificates. the certificates show up again.

It could be the Live Sync program that deletes/archive the certificate. To verify, please try not to use the program on the machine and monitor if the certificate gets deleted/archived. I also found that the software FolderShare can also cause this kind of problem. If you have this software installed, please remove or disabled this software. Thank you.

To troubleshot it, I recommend we operate a clean boot the problematic machine and check it again.

To perform a clean boot, please follow these steps.

Type MSCONFIG to open system configuration console.

Go to Services tab, click the option to hide all Microsoft Services and then click the Disable All button.

Go to Startup tab, click the Disable All button.

Restart the computer.

FreeRadius Server: RadGroupReply attribute for maximum connected users

Sure, first you need to set up RADIUS accounting with an SQL database like postgresql or MySQL.

Then you need to implement a solution for stale session detection. This can be as simple as enabling Interim-Updates and closing out sessions where the last update was before (NOW() - <interim time>) using a cron job. How to calculate a time in the past varies wildly from database to database, so you'll have to find the right syntax for the database you use.

Finally you'd need to write an unlang policy that gets a live session count for a NAS and compares it to the configured maximum. In FreeRADIUS v3.0.x you can associate arbitrary pairs with NAS by adding them to client sections.

Example client section:

client test {
    ipaddr = 127.0.0.1
    secret = 'testing123'
    max_users = 10
}

Example policy:

authorize {
    if ("%{sql:SELECT COUNT(*) FROM radacct WHERE nasipaddress = '%{NAS-IP-Address}' AND acctstoptime != NULL}" > "%{client:max_users}") {
        update reply {
            Reply-Message := 'Sorry, too many users connected, please try again later'
        }
        reject
    }
}

Best Answer

Related Solutions

Certificate Authority – RADIUS/WPA

FreeRadius Server: RadGroupReply attribute for maximum connected users

Related Topic