We have One Mikrotik CCR as NAS (pppoe) and Freeradius as billing. Multiple area’s are connect to Mikrotik via Cisco switch & VLAN are configured for each port.
We have few reseller/frenchise managers, like Dealer-A, Dealer-B.
They can create there own users in freeradius using frontend GUI designed in php. All dealers can view/edit there own users only.
Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss for Dealer-B.
Can we add some restriction so that User-ID’s created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Either way, you should be creating seperate hotspot/pppoe server per vlan. Then just check the access-request packet, there is an attribute you can use I think it’s caller-id, you can use that on freeradius to then allow/deny access as you wish
NAS-Port-Id == VLAN2
& it seems to be working fine.
Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
Example of one module I have that checks for Invalid MAC.
if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'You are not allowed to connect from this VLAN'
}
update control {
Auth-Type := "Reject"
}
}
It’s added under Authorized Section. Will write in details about it if some one required.