I have a FreeRADIUS (3.0.15) server for WPA authentication (PEAP + MSCHAPv2) and everything works out of the box even though it feels like it would take a lifetime of study in an enclosed monastery to master every bit of the configuration.
I have my users in the users
file and I would like to keep it that way (versus sql or ldap) because I like the convenience of editing users with a simple text editor.
What I'm trying to accomplish:
I have two SSIDs (staff
and guests
) and I would like to separate my users in two groups such that a guest user is rejected if they try to authenticate on the staff
SSID.
What I have so far:
In my users
file:
DEFAULT
MyGroup := 'guests',
Fall-Through := Yes
# Guest users
guest1 Cleartext-Password := 'password1'
# End of guest users
DEFAULT
MyGroup := 'staff',
Fall-Through := Yes
# Staff users
staff1 Cleartext-Password := 'kdjsfhksf'
# End of staff users
My hope is that, after parsing the file, the reply:MyGroup
attribute has staff
or guest
depending on what user matched the request.
My dictionary
file has this:
ATTRIBUTE MyGroup 3000 string
And my default
site has this in the authorize
group, right after the files
module. The rewrite_called_station_id
creates a new attribute Called-Station-SSID
, which I use along the MyGroup
attr created by the files
mod to try and filter the users:
# get SSID from Called-Station-Id
rewrite_called_station_id
# check guest connecting to staff SSID and reject if so
if (&MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
reject
}
I also tried this:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
But in any case I get the following error:
if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
ERROR: Failed retrieving values required to evaluate condition
At this point I have no clue what's going on and how to fix it.