Monday, June 5, 2017

A Guide: Restrict User Access to A Particular SSID With Freeradius.

A Guide: Restrict User Access to A Particular SSID With Freeradius

Hello, everyone. I am posting this guide hoping that it could help anyone who needs an easy way restricting user access to a particular SSID. I do this because most of the articles that I found on the Internet were either too complicated or involves multiple tables coupled with confusing configuration tweaking. My goal is for you to have a network that is access-filtered as fast and as easy as possible.

This guide is suitable for small to medium network environment such as home network, school network and small business network. This guide assumes you have a working Freeradius and Mysql server and that you have configured your Freeradius server to utilize Mysql database instead of files.

Full disclosure: I am not an expert, I am just someone who dabbles in the subject. I am open to any suggestions, if anyone knows better ways of doing it, I would love to know about it. 


First, we begin by creating a table inside Freeradius' database and we will name it radmacauth.
mysql> USE radius;
mysql> CREATE TABLE radmacauth (
mysql>     devMACADDR VARCHAR(17) NOT NULL,
mysql>     description VARCHAR(128),
mysql>     userID INT(11) UNSIGNED NOT NULL,
mysql>     username VARCHAR(64) NOT NULL,
mysql>     aabbccddeeff BOOLEAN DEFAULT 1,
mysql>     aabbccddeeff BOOLEAN DEFAULT 1,
mysql>     PRIMARY KEY (devID)
mysql> );
Caution! Please change the aabbccddeeff  column name to your WiFi MAC address without the colon or dash separator, in this case I have 2 WiFi APs.

userID and username are derived from table radcheck of Freeradius database.

The BOOLEAN data type is used as a GRANT or DENY access permission.

Second, edit the /etc/freeradius/sites-available/default file.
sudo nano default
Please type rewrite.calling_station_id under preprocess in the authorize section.
authorize {
This rewrite.calling_station_id module will ensure that all MAC address have default format which is aa-bb-cc-dd-ee-ff.

Lastly, still editing the default file, find the post-auth section and type the following before everything else.
post-auth {
     if("%{sql:SELECT COUNT(*) FROM radmacauth WHERE devMACADDR='%{Calling-Station-ID}' AND username='%{User-Name}' AND %{NAS-Identifier}=1}" > 0){
Mysql will match %{NAS-Identifier} attribute from Freeradius to one of the radmacauth's WiFi APs column. If all the conditions are true then access is granted, other than that access is denied.

Save the file and restart Freeradius, fill the database and you now have an access-filtered network.