NAS-Group? - different replies to different NASes?

Adrian adrian at dsl4u.ca
Thu Feb 28 00:03:53 CET 2008 

Hello Ivan,

I haven't had much luck with setting this up.  We use a mysql DB and in the
sql.conf file I don't use the DEFAULT Profile section nor do we use the
users file.  I've spoken with a few friends and they were able to get this
working but in a flat-file environment (I.e using the users file and using
the DEFAULT you've mentioned below)

Is there a way to get this working with SQL without hacking the SLQ
statements?

I was thinking of modifying the authorization query in sql.conf
(authorize_group_check_query) to utilize a Huntgroup-Name Attribute in the
radgroupcheck table.  Not sure if this will even work. 

Here is the original query:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att
ribute,${g
roupcheck_table}.Value,${groupcheck_table}.op  FROM
${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQ
L-User-Name}' AND ${usergroup_table}.GroupName =
${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"

Here is the proposed changed query:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att
ribute,${g
roupcheck_table}.Value,${groupcheck_table}.op  FROM
${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQ
L-User-Name}' AND ${usergroup_table}.NASGroup = ${groupcheck_table}.NASGroup
ORDER BY ${groupcheck_table}.id"

For the above to work I would have to introduce a new column in the
usergroup table called NASGroup and also in the radcheckgroup table.
This sounds like a lot of work and maybe unnecessary. 

I'm pretty sure this works with huntgroups and flat files...how can I make
it work with SQL?  Will my answer be turning up "Default Profile" under the
sql.conf file of the radius server?

Best regards,
Adrian

-----Original Message-----
From: freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org
[mailto:freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org] On
Behalf Of Adrian
Sent: Tuesday, February 26, 2008 5:09 PM
To: 'FreeRadius users mailing list'
Subject: RE: NAS-Group? - different replies to different NASes?

Thanks Ivan,

I will give that a try.  Thanks for all your help.

Adrian

-----Original Message-----
From: freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org
[mailto:freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org] On
Behalf Of Ivan Kalik
Sent: Tuesday, February 26, 2008 2:37 PM
To: FreeRadius users mailing list
Subject: RE: NAS-Group? - different replies to different NASes?

>
>A: I have a set of "master" tunnel attributes that I always have to send to
>this Telco.
>i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password,
>Tunnel-Server-Endpoint..etc
>The way this Telco obtains these attributes is by sending the
>Username/Password combination my way. (i.e. I need to authenticate
>userxyz at telco.com).  Once I see that user come through from their boxes (3
>Static IPs) I have to send back to them the tunnel attributes above.  Once
>the tunnel attributes were sent, they establish an L2TP tunnel to my LNS
and
>my LNS now asks my Radius server again to authenticate the user.  So I see
>the same userxyz at telco.com requesting to be authenticated.  Since I
>currently cannot distinguish between NASes I am sending the same Tunnel
>Attributes to my LNS which causes my LNS to try to initiate a tunnel back
to
>itself (because the Tunnel-Server-Endpoint attribute is the actual LNS).
>++++++++++++++++++++++++++++++++++++++
>

This is very strange. That information should be on telco radius server,
not yours. It should not have to proxy requests to you. They ought to
know the tunnel endpoint - *they* gave you the IP to set on your router
when they leased you the line.

Simplest thing to do is to create a huntgroup caled LAC and place those
static IPs there. Then put something like this i your users file:

DEFAULT   Huntgroup-Name == "LAC", Auth-Type := Accept
                 Reply-Message = "You are one strange telco",
                 and list other reply attributes that you need to send
them.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list