diff --git a/freeradius/sites-enabled/default b/freeradius/sites-enabled/default index 1680b6b..be95728 100644 --- a/freeradius/sites-enabled/default +++ b/freeradius/sites-enabled/default @@ -12,13 +12,21 @@ server default { } authorize { - # Si es EAP (WPA-Enterprise), procesar EAP y salir para no interferir + # Si es EAP (WPA-Enterprise) if (&EAP-Message) { + # Si el usuario está deshabilitado según SQL, rechazar antes de llamar a eap + if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") { + reject + } eap return } # Cargar atributos desde SQL (VLAN/bw, etc.) sql + # Si está deshabilitado en SQL, rechazar + if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") { + reject + } # Laboratorio: aceptar todo en flujos no EAP update control { Auth-Type := Accept @@ -28,6 +36,9 @@ server default { authenticate { # EAP para WPA-Enterprise eap + Auth-Type Reject { + reject + } # Aceptar todo cuando control:Auth-Type := Accept (no EAP) Auth-Type Accept { ok diff --git a/freeradius/sites-enabled/inner-tunnel b/freeradius/sites-enabled/inner-tunnel index 814c936..70b5523 100644 --- a/freeradius/sites-enabled/inner-tunnel +++ b/freeradius/sites-enabled/inner-tunnel @@ -8,6 +8,10 @@ server inner-tunnel { authorize { # Cargar credenciales/atributos del usuario desde SQL sql + # Si está deshabilitado en SQL, rechazar antes de EAP + if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") { + reject + } # En caso de que el módulo SQL no haya poblado Cleartext-Password, obténlo vía xlat update control { Cleartext-Password := "%{sql:SELECT value FROM radcheck WHERE username='%{User-Name}' AND attribute='Cleartext-Password' ORDER BY id DESC LIMIT 1}" @@ -32,6 +36,9 @@ server inner-tunnel { Auth-Type MS-CHAP { mschap } + Auth-Type Reject { + reject + } } post-auth {