limiting user access

Dennis Skinner dskinner at bluefrog.com
Wed Aug 2 21:54:10 CEST 2006


simon at 434canada.com wrote:
> 
> OK, yes, I realize that was creating a user name.  So if I change that format line to have a Group attribute instead of User-Name, then I have a Group being created by NAS-IP-Address.  I still don't get how I can test to make sure that the user is part of this group.  I have tried adding the group name to the usergroup table, but whether or not this value is correct (corresponds to the value in the nas_group file) or is even present doesn't make a difference.  The user is always getting authenticated.  Where does the logic need to lie to check that the user is a part of the named group?

Group = Unix group
SQL-Group = the usergroup table in mysql

Set the SQL-Group in the huntgroups file and then put the user/group
entry in the usergroup table in mysql and it should just work.

Check the debug, you will see that it checks the SQL-Group early and
will reject on that before it even looks for the password.

If I understand you correctly, you shouldn't need rlm_passwd.  The only
difference between what you are trying and what we are doing is that I
use Client-IP-Address instead of NAS-IP-Address in the huntgroups file
because I have upstream RADIUS providers to deal with....

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com



More information about the Freeradius-Users mailing list