HomeForumsOpen-Source SoftwareCoovaChilli Development

2 coova + 2 locations + one radius.

Sun, 11/21/2010 - 20:22 — tviard

Hi,

I try to figure out how to make following configuration:

1) Two locations (two cities)
2) On each location there is one coovachilli server
3) several hotspots are conected to each coovachilli
4) there is one, central freeradius server holding all acounts, for both locations.

Now, what I try to do is to create accounts that are location dependant... so account created for one location, can't be used on other location...

Can anybody help me ??? or give me some info on how to do that ???

Thanks so much !

‹ How can Use layer3 ? Chilliproxy with Openwrt ›
Mon, 11/22/2010 - 11:45 — Beone

You can check the

You can check the nas-identifier (or the nas ip address if your nas's have fixed ip's) in radius and allow/deny access based on that.

kind regards

Mon, 11/22/2010 - 12:18 — tviard

Oh good ! This is exactly

Oh good ! This is exactly what i need ! Any help on how to do it ? My freeradius check username/password and also max-session time, expiration time, but I don't really know how to implement nas-id checking... Is it something to do with sql ? At last now i know that i have to work on radius side !

Thanks a lot !!

Thomas.#

Tue, 11/23/2010 - 08:54 — Beone

I guess you have 2 (or more)

I guess you have 2 (or more) different radius groups? (One group for each location, at least that's the way I do it)
In radgroupcheck:

GroupName Attribute OP Value
MyGroup1 NAS-Identifier == nas-identifier-of-nas1
MyGroup2 NAS-Identifier == nas-identifier-of-nas2
This checks that a user of group1 only can login in to nas1 (if he tries nas2, he will get a reject from radius as the nasid doesn't match.
If you need to block a user/group from multiple nas's, use:
mygroup3 NAS-Identifier != (nas1|nas2|nas3)

You can also use operator != to prevent users of a group to login to nas x
You can do the same on user basis, just use the username instead of groupname and put it in radcheck instead of radgroupcheck.

There probably are better ways to do this (definately in FR2.x), but this is the way I do it.
It's not perfect as the user logging in to the wrong hotspot doesn't get notified "why" he's got rejected, but it works.

PS You also better configure simultaneous-use := 1 to prevent your users from sharing their credentials with others ;-)

Hope this helps
Kind regards
B

Tue, 11/23/2010 - 13:35 — tviard

Oh it really helps ! I've

Oh it really helps ! I've spent long time try to find a solution for that ! I'm really new to coova and readius...

Thanks so much, you can't imagine how it helps me ! I'm trying to build a wifi network on several locations and all is working well except that user from one location ca login in another one with the same login... which is bad as plan rates are different for some locations...

Thanks so much !

Thomas.