FreeRADIUS question...

xtc · October 22, 2006, 2:12pm

Hello,
I have recently installed FreeRadius on my Linux box (Debian Sarge 3.1), and have set it up to work with MySQL, everything works good, but I have a small ‘problem’.

I have Mikrotik 2.9.6 installed on my machine that serves as a router, This router has HOTSPOT and PPPoE server on It, on each of these, I have… say 5 users, and all request from HS and PPPoE go to my RADIUS server.

For HS and PPPoE I have 2 different Address pools set up on Mikrotik ([HS - 192.168.10.0/24] && [PPPoE - 192.168.11.0/24]). The problem is that if a HS user knows username or password from PPPoE user, he can login to PPPoE account from HS login page… and vice versa, but of course they can’t use network resources, or browse the Internet…

Anyway, I’m looking for a way to limit that HS users can only login from HS login page, and PPPoE users can only login from already made PPPoE connection. Is this possible to do in RADIUS by any chances??

Many Thanks in Forward

elihuzero · July 9, 2008, 11:26pm

hi how you doing, i see your post and i´m interesting to know your configuration because i try to make the same, install in one PC Freeradius, in another Mikrotik, and my client make a PPPoE Tunel to my mikrotik and autentification with the Radius, but i can´t,

can you help me? or send me your configuration files to see how can i fix my problem

Thanks, i hope you can help me

SurferTim · July 9, 2008, 11:54pm

Greetings!

I do this all the time.

Set the radius-location-name in the hotspot profile. I used “test” in this example.
If user “user1” logs on to the hotspot, then in the SQL radius database:
insert into radcheck (UserName,Attribute,op,Value) values (‘user1’,‘WISPr-Location-Name’,‘==’,‘test’);

This allows user1 to login only if the WISPr-Location-Name and the radius-location-name values match. Otherwise, the radius server returns access-reject. That keeps your hotspot users off the PPPoE.

ADD: You can do the same with radgroupcheck if all your users you want to restrict are in the same group. Only one entry covers all users in the group:
insert into radgroupcheck (GroupName,Attribute,op,Value) values (‘user1group’,‘WISPr-Location-Name’,‘==’,‘test’);

For users not allowed to login the hotspot (user2 in this example):
insert into radcheck (UserName,Attribute,op,Value) values (‘user2’,‘WISPr-Location-Name’,‘!=’,‘test’);
Note the != instead of ==
That should keep your PPPoE users off the hotspot.