Limit login by Service

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Limit login by Service

Sajad Tahernejad
Hi,
I want limit connection to mikrotik nas by service , for example only
accept pptp or pppoe . I see Framed-Protocol can check PPP only , everyone
can help me to limit pptp or pppoe only ?
Thanks. Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Limit login by Service

Alan DeKok-2
On Sep 2, 2019, at 4:55 AM, Sajad Tahernejad <[hidden email]> wrote:
>
> I want limit connection to mikrotik nas by service , for example only
> accept pptp or pppoe . I see Framed-Protocol can check PPP only , everyone
> can help me to limit pptp or pppoe only ?

  Read the debug output to see what is different in the Access-Request between those different services.  Then, write policy rules to check for those differences, and do what you want.

  We don't have access to your Mikrotik NAS.  We're not Mikrotik.  We don't know all of the Miktrotik documentation.  Only *you* can find out what your NAS is doing in different situations.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Limit login by Service

aacable
In reply to this post by Sajad Tahernejad
@Sajad

Just to share logic, may be incorrect but In Mikrotik I see following

  *   PPPoE > NAS-Port-Type = Ethernet
  *   PPTP  > NAS-Port-Type = Virtual

Now using your users table where information is stored, you can then create query to match if user is using the allowed service type.

Users table example:

mysql> describe users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(64) | NO   |     | NULL    |                |
| srvtype  | varchar(16) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

mysql> select * from users;
# this type will allow pppoe only
+----+----------+----------+
| id | username | srvtype  |
+----+----------+----------+
|  1 | zaib     | Ethernet |
+----+----------+----------+
1 row in set (0.00 sec)

Now edit /etc/freeradius/sites-enabled/default & paste following in `Authorize` Section [look for correct syntax & braces if required]


if ("%{sql: select from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this VLAN !'
}
update control {
Auth-Type := "Reject"
}
}

Now try to connect to users from different type service

(9)   } # if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}")  = noop
(9)   Reply-Message = "Error: You are not allowed to connect using this service type !"
(9) Found Auth-Type = Reject
(9) Auth-Type = Reject, rejecting user
(9) Failed to authenticate the user

More info is here which I wrote about  VLAN number allowance here<https://aacable.wordpress.com/2018/01/18/freeradius-with-mikrotik-part-9-restrict-user-auth-from-allowed-vlan-only/>/link

Regards,
SYED JAHANZAIB
<http:///>
________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=[hidden email]> on behalf of Sajad Tahernejad <[hidden email]>
Sent: Monday, September 2, 2019 1:55 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: Limit login by Service

Hi,
I want limit connection to mikrotik nas by service , for example only
accept pptp or pppoe . I see Framed-Protocol can check PPP only , everyone
can help me to limit pptp or pppoe only ?
Thanks. Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Limit login by Service

aacable
Correction:

if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}") {



<http:///>
________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=[hidden email]> on behalf of JAHANZAIB SYED <[hidden email]>
Sent: Friday, November 8, 2019 2:40 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Limit login by Service

@Sajad

Just to share logic, may be incorrect but In Mikrotik I see following

  *   PPPoE > NAS-Port-Type = Ethernet
  *   PPTP  > NAS-Port-Type = Virtual

Now using your users table where information is stored, you can then create query to match if user is using the allowed service type.

Users table example:

mysql> describe users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(64) | NO   |     | NULL    |                |
| srvtype  | varchar(16) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

mysql> select * from users;
# this type will allow pppoe only
+----+----------+----------+
| id | username | srvtype  |
+----+----------+----------+
|  1 | zaib     | Ethernet |
+----+----------+----------+
1 row in set (0.00 sec)

Now edit /etc/freeradius/sites-enabled/default & paste following in `Authorize` Section [look for correct syntax & braces if required]


if ("%{sql: select from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this VLAN !'
}
update control {
Auth-Type := "Reject"
}
}

Now try to connect to users from different type service

(9)   } # if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}")  = noop
(9)   Reply-Message = "Error: You are not allowed to connect using this service type !"
(9) Found Auth-Type = Reject
(9) Auth-Type = Reject, rejecting user
(9) Failed to authenticate the user

More info is here which I wrote about  VLAN number allowance here<https://aacable.wordpress.com/2018/01/18/freeradius-with-mikrotik-part-9-restrict-user-auth-from-allowed-vlan-only/>/link

Regards,
SYED JAHANZAIB
<http:///>
________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=[hidden email]> on behalf of Sajad Tahernejad <[hidden email]>
Sent: Monday, September 2, 2019 1:55 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: Limit login by Service

Hi,
I want limit connection to mikrotik nas by service , for example only
accept pptp or pppoe . I see Framed-Protocol can check PPP only , everyone
can help me to limit pptp or pppoe only ?
Thanks. Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html