I'm trying to use Freeradius 3.0.20 on Ubuntu. I use the users file to authenticate wireless users and that's working just fine. (This is a home system, not at work).
For the moment I have a couple of new users for whom I have created a new SSID (Cisco aironet controller and access points).
I would like to allow the new users to connect ONLY to the new SSID.
So let's call the old SSID SSID1 and the new SSID SSID2.
I want to restrict some users to SSID2 only.
So I've added the following line to /etc/freeradius/3.0/dictionary:
ATTRIBUTE MyGroup 3000 string
This is the entry in the users file for one of the new users:
NewUser1 Cleartext-Password := "password", MyGroup := "Newgroup"
User-Password = "password"
And finally I currently have this in /etc/freeradius/3.0/policy.d/filter:
filter_username {
if (&User-Name) {
if (&outer.request:User-Name == "NewUser1") && (&outer.request:Called-Station-Id !~ /.*:SSID2$/) {
update request {
&Module-Failure-Message += 'You may not connect to this network'
}
reject
}
Now that works just fine but it's obviously not scalable because it requires me to create an "or" for every user I want to restrict.
I was hoping to use the new "MyGroup" attribute instead as follows:
if (&outer.control:MyGroup !~ /.*Newgroup.*/) && (&outer.request:Called-Station-Id !~ /.*:SSID2$/) {
update request {
&Module-Failure-Message += 'You may not connect to this network'
}
reject
}
But freeradius is telling me "ERROR: Failed retrieving values required to evaluate condition" every time, whether I user &outer.control:MyGroup, &control.mygroup, or anything else I've tried to reference this MyGroup attribute that I've tried to create.
Can anyone suggest what I'm doing wrong? Or even if it's possible to do it like this?
