How to limit user's access to a specific NAS?

Question

I'm new to RADIUS and I have just set up a very basic FreeRADIUS server for 802.1x (WPA). I use EAP, MySQL as backend with daloRADIUS as webGUI (for user management, mainly).

I got two WiFi networks, one private network and a guest network. Now I want to specify users per NAS. So there are certain users that are only allowed to use the guest network and not the private network.

How do I do that? Is that even possible with FreeRADIUS? Because I can't seem to find any information about it. Is it maybe something weird, am I using RADIUS in a wrong manner?

Maybe this will help? http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS — Danila Ladner, Jul 30 '13 at 17:44
Thank you, but that article doesn't mention my question (or the answer to it) — Compizfox, Jul 30 '13 at 18:09

score 1 · Accepted Answer · answered Jul 31 '13 at 21:35

1

Got it! The problem was that the NAS-Identifier attribute didn't get copied to the tunneled request by EAP. Setting "copy_request_to_tunnel" to "yes" fixed it :)

Now I can use the NAS-Identifier attribute as a check in the radcheck table.

answered Jul 31 '13 at 21:35

Compizfox

375
1
6
17

score 0 · Answer 2 · answered Jul 30 '13 at 17:54

0

On way is to setup different virutal servers and point each NAS to a different server. You can setup the users and then assign the users to different virtual servers. Actually you should assign them to different groups and then assign each group to different virtual servers. See documenation for virtual servers

You could also use hunt groups. Here you have one server but assign each NAS to a different hunt group. Then you assign users/user groups to each hunt group.

If you don't want to do this yourself, there are some some radius as a service companies you might consider. Cloudessa uses FreeRadius on the backend and supports two factor authenication using Google Autenicator. No Wires Security is another company that does radius as a service.

answered Jul 30 '13 at 17:54

kheld

196
3

Virtual servers is a way, but doubt if it's the right way. It seems unnatural for me to need two separate servers for such a simple goal. (Or am I wrong?) I don't really understand hunt groups. How do I assign users to a hunt group, for example? – Compizfox Jul 30 '13 at 18:12
Note that virutal servers are different listeners listening on different IP addresses or ports on the same machine. The concept is different from seperate virtual machines using VMWare or Hyper-V. For hunt groups you look in the `radgroupcheck` table. See example in link under heading "Combining with SQL authorisation" – kheld Jul 30 '13 at 18:22
Nevermind, I think I already understand. Users are grouped in usergroups (table radusergroup), NASes are grouped in huntgroups (table radhuntgroup). The table radgroupcheck checks whether the users' usergroup is allowed to use a huntgroup. Right? – Compizfox Jul 30 '13 at 18:26
I still can't get it to work. The issue is kinda the same as in this thread: http://freeradius.1045715.n5.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-td2776140.html – Compizfox Jul 30 '13 at 20:10
So I tried another suggestion in that thread, to just add a NAS-Identifier check in radchecks. I don't know if I did something wrong, but I can't authenticate at all now. http://pastebin.com/MBFinPrY – Compizfox Jul 30 '13 at 20:14
Without the NAS-Identifier check I get this (I authentication is succesfull): http://pastebin.com/sYCdxGym And with the extra check I get this (Authentication failed): http://pastebin.com/81MhnLhN – Compizfox Jul 30 '13 at 21:11

How to limit user's access to a specific NAS?

2 Answers2