freeradius

freeradius 3 mac auth user group (for configuration simplicity)

I have implemented Radius MAC authentication with Unifi AP and freeradius. I am using Radius primarily to set the vlan that the device should sent to allowing a consolidated SSID to handle multiple vlans. (This is a home network, not an enterprise so I am not concerned with the mac spoofing situation). Any MAC connecting will get a vlan (but non-radius users will go to a guest vlan by default)

The freeradius question is how I can go about assigning a group value to each MAC user definition and then post-auth use that group name to define the specific attributes such as Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id. I simply want to do this to avoid having to repeat all these tunnel values for each device.

Example (not sure if syntax is right)

authorize file AABBCCDDEEFFGG Group := "iot", Cleartext-Password := "AABBCCDDEEFFGG"

site-enabled/default (I think it might go here)

if (group == "iot) { #update reply, set Tunnel-* values }

Any guidance someone could provide would be great. All the examples I have found seem to be using the mysql backend and I don't have a need for the additional complexity.

Solution

  • I was able to figure this out using control variables. Here is the solution.

    1. Create a custom attribute in the dictionary file.

      ATTRIBUTE VLAN-Group-Name 3000 string

    2. Add users to the authorize file like so

      AA-BB-CC-DD-EE-FF Cleartext-Password := "AA-BB-CC-DD-EE-FF", VLAN-Group-Name := "iot"

    3. In your virtual server, in my case it was sites-enabled/default, look for the post-auth section and add code similar to this. You will replace the group-id XXX with your vlan # you want sent back to the AP to be assigned. I placed the code right above the -sql portion.

    switch "&control:VLAN-Group-Name" {
    case "iot" {
        update reply {
            Tunnel-Type = 13,
            Tunnel-Medium-Type = 6,
            Tunnel-Private-Group-Id = XXX
        }
    }
    case "general" {
        update reply {
            Tunnel-Type = 13,
            Tunnel-Medium-Type = 6,
            Tunnel-Private-Group-Id = XXX
        }
    }
}

    This allows you to keep the authorize file clean with just users and assign them a group and keep the group values simplified in the post-auth. If you ever needed to change the vlan # of any group just one update and restart.

    Cheers!