access rights for some users ou users groups with
BADAOUI Nasr-Eddine (P)
nasr-eddine.badaoui at ratp.fr
Tue Oct 14 10:34:09 CEST 2008
I've configured my tables as follows :
mysql> select * from usergroup;
+----+----------+-------------+
| id | UserName | GroupName |
+----+----------+-------------+
| 13 | st234824 | test_radius |
+----+----------+-------------+
mysql> select * from radcheck;
+----+----------+----------------+----+------------------------------------+
| id | UserName | Attribute | op | Value |
+----+----------+----------------+----+------------------------------------+
| 1 | st234824 | Crypt-Password | := | LqI8nHgSp/pTY |
+----+----------+----------------+----+------------------------------------+
mysql> select * from radgroupcheck;
+----+-------------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 4 | test_radius | Auth-Type | := | TLS |
+----+-------------+-----------+----+-------+
mysql> select * from nas;
+----+---------------+-----------+-------+-------+------------+-----------+-------------+
| id | nasname | shortname | type | ports | secret | community | description |
+----+---------------+-----------+-------+-------+------------+-----------+-------------+
| 6 | 192.168.9.155 | switch | cisco | 1812 | bonjour | | |
| 9 | 192.168.9.154 | webmail01 | other | 1812 | testing123 | | |
Which type of attributes should I use to access from "webmail01", but not "switch" for example ?
thanks
________________________________
De: freeradius-users-bounces+nasr-eddine.badaoui=ratp.fr at lists.freeradius.org de la part de freeradius-users-request at lists.freeradius.org
Date: lun. 13/10/2008 19:30
À: freeradius-users at lists.freeradius.org
Objet : Freeradius-Users Digest, Vol 42, Issue 80
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. access rights for some users ou users groups with freeradius
and mysql (BADAOUI Nasr-Eddine (P))
2. Re: access rights for some users ou users groups with
freeradius and mysql (tnt at kalik.net)
3. Re: One user - Different Service Type depending on NAS
(Alan DeKok)
4. Re: NAS-Identifier (Paul Bartell)
5. FR2.1.1 Solaris 5.10 x86 32-bit race condition (Chris Howley)
6. Re: FR2.1.1 Solaris 5.10 x86 32-bit race condition (Alan DeKok)
7. Authentication ok but not login on a Netopia (Gamaliel Bedolla)
8. syntax errors on mysql ip pools (Marcelus Trojahn)
----------------------------------------------------------------------
Message: 1
Date: Mon, 13 Oct 2008 13:51:28 +0200
From: "BADAOUI Nasr-Eddine (P)" <nasr-eddine.badaoui at ratp.fr>
Subject: access rights for some users ou users groups with freeradius
and mysql
To: <freeradius-users at lists.freeradius.org>
Message-ID:
<E50F5250B1B60045B2B10390D6FFE79462BC7E at EXCHANGEA2.info.ratp>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius.
Mysql's tables are :
nas table for clients
radcheck table for users
radgropucheck table
usergroup table
many thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/d09394e0/attachment.html>
------------------------------
Message: 2
Date: Mon, 13 Oct 2008 13:24:07 +0100
From: <tnt at kalik.net>
Subject: Re: access rights for some users ou users groups with
freeradius and mysql
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID: <ywKtdFdk.1223900647.6302610.tnt at kalik.net>
Content-Type: text/plain; charset=ISO-8859-2
If I understood you well, you want some users or groups to have access
from NAS1 but not from NAS2. Add attribute NAS-IP Address with
appropriate value to radcheck or radgroupcheck table.
Ivan Kalik
Kalik Informatika ISP
Dana 13/10/2008, "BADAOUI Nasr-Eddine (P)"
<nasr-eddine.badaoui at ratp.fr> pi?e:
>Hi,
>
>I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius.
>
>Mysql's tables are :
>
>nas table for clients
>radcheck table for users
>radgropucheck table
>usergroup table
>
>many thanks
>
>
>
>
------------------------------
Message: 3
Date: Mon, 13 Oct 2008 14:24:45 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: One user - Different Service Type depending on NAS
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <48F33E0D.1010709 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Mats Blomgren B wrote:
> 3 of the users should have full access (read/write) to the network (94
> Extreme Switches). This is straight forward.
> The other 3 should have read/write to about 80 switches and read only to
> the last 14.
Put the users into groups. Put the NASes into groups. Apply policies
based on group membership.
> I understand that I can group devices in huntgroups and users in groups
> and then control the access.
Yes. However, huntgroups may not be the best way to handle this.
> The problem I have is that I don't know how to give a certain user a
> specific "Service-Type" depending on the NAS he/she tries to connect to.
> I want the Service Type do differ for certain users depending on the NAS.
Don't. Do *group* checking.
if ((Packet-Src-IP-Address == 1.2.3.4) || ... # 80 times
update request {
NAS-Group = "one" # define this in "dictionary"
}
}
elsif ((Packet-Src-IP-Address == 2.3.4.5) || ... # 14 times
update request {
NAS-Group = "two"
}
}
Put the users into similar groups. Put them into groups called
"admin", "some", or "readonly".
if (User-Group == "admin") {
update reply {
Service-Type = Administrative-User
}
}
elsif ((User-Group == "some") && (NAS-Group == "one")) {
update reply {
Service-Type = Administrative-User
}
}
else {
update reply {
Service-Type = Login-User
}
}
Alan DeKok.
------------------------------
Message: 4
Date: Mon, 13 Oct 2008 07:08:57 -0700
From: "Paul Bartell" <paul-bartell at ubuntu.com>
Subject: Re: NAS-Identifier
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<2b5bab0f0810130708j708b4456l8d22cd8a555c6157 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
You can use the called-station-id variable to say yay or nay for
authentication. For example, we have a Staff network, that requires
different usernames/passwords from the regular wifi SSIDS. We use
regex to check for regular users trying to get onto the staff ssid.
On 10/13/08, Alan DeKok <aland at deployingradius.com> wrote:
> Stefan Eck (gmail) wrote:
> > Well, the new NAS device sends 5 different NAS-Identifier. eg WebAdmin,
> > SSLVPN or HTTP. But only one RADIUS can be configured.
>
>
> One one RADIUS can be configured... where?
>
>
> > I'm just thinking about that users can be authenticated via RADIUS
> > server1 and admin(webadmins) can be authenticated via RADIUS server2. Or
> > similar like that.
>
>
> Why?
>
>
> > Currently, I don't have any clue to take advantage of the
> > NAS-Identifier. Where is this attribute configured on the RADIUS. Other
> > devices send the NAS-IP, but this is only relevant for the shared secret
> > or the accouting.
>
>
> No. The server does NOT use the NAS-IP-Address to look up the shared
> secret.
>
> If you want to apply policies based on attributes, see "man unlang".
> You can write complex policies using a very simple language.
>
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Random quote of the week/month/whenever i get to updating it:
"Opportunity knocked. My doorman threw him out." - Adrienne Gusoff
"At school you don't get parole, good behavior only brings a longer
sentence." - The History Boys
------------------------------
Message: 5
Date: Mon, 13 Oct 2008 16:18:42 +0100
From: "Chris Howley" <C.P.Howley at leeds.ac.uk>
Subject: FR2.1.1 Solaris 5.10 x86 32-bit race condition
To: <freeradius-users at lists.freeradius.org>
Message-ID:
<8C86A47C06F80643A4B6F95F71505357CCA47B at HERMES1.ds.leeds.ac.uk>
Content-Type: text/plain; charset="US-ASCII"
Alan,
FR 2.1.1, Solaris 5.10 x86 32-bit
We're using the latest code from git.freeradius.org.
We're using PEAP/MSCAHPv2 and authenticating against Microsoft AD. We've
encountered a race
condition affecting the server when the supplicant on a windows XP
station attempts to
reauthenticates 30 minutes after the initial user logon.
Here's the URL for the gdb and radiusd -X output:
http://129.11.59.52/RADIUSD/
Any help in fixing this problem would be appreciated.
Thanks,
Chris Howley
------------------------------
Message: 6
Date: Mon, 13 Oct 2008 17:34:37 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: FR2.1.1 Solaris 5.10 x86 32-bit race condition
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <48F36A8D.9060909 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Chris Howley wrote:
> We're using PEAP/MSCAHPv2 and authenticating against Microsoft AD. We've
> encountered a race
> condition affecting the server when the supplicant on a windows XP
> station attempts to
> reauthenticates 30 minutes after the initial user logon.
What is the race condition? It's not entirely obvious from the 600+K
of debug output.
All I see is a bunch of authentication requests, followed by you
stopping the server via CRTL-C, and running gdb.
What's going wrong? Is it *not* reading the data from the pipe?
Maybe something else?
Alan DeKok.
------------------------------
Message: 7
Date: Mon, 13 Oct 2008 10:35:54 -0600
From: Gamaliel Bedolla <gbf at transtelco.net>
Subject: Authentication ok but not login on a Netopia
To: freeradius-users at lists.freeradius.org
Message-ID: <48F378EA.5040308 at transtelco.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi all,
I have problems with the autentication of a Netopia R910 router with
firmware 4.11. The configuration of the Freeradius is ok but Netopia is
not accepting the Acces-Accept form the freeradius. The questions are:
Is there an atrribute the Freeradius must reply to the Netopia ? Is
there any misconfiguration on the Netopia?
Freeradius ver. is 2.0.4.
(part of the reply of the Freeradius)
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "****"
rlm_pap: Using clear text password "****"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [gbf/****] (from client ezeronet port 0)
+- entering group post-auth
++[exec] returns noop
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 24 with timestamp +98
Ready to process requests.
This is the configuration of the Netopia router:
Advanced Security Options
Security Databases... RADIUS then Local
RADIUS Server Addr/Name: (Ip-of-the-Freeradius)
RADIUS Server Secret: ********************
Alt RADIUS Server Addr/Name:
Alt RADIUS Server Secret:
RADIUS Identifer:
RADIUS Server Authentication Port: 1812
RADIUS Access Privileges... All
Telnet Server Port: 23
LAN (EN Hub) IP Filter Set...
Remove Filter Set
Thanks to all.
------------------------------
Message: 8
Date: Mon, 13 Oct 2008 14:30:18 -0300
From: "Marcelus Trojahn" <mtrojahn at gmail.com>
Subject: syntax errors on mysql ip pools
To: freeradius-users at lists.freeradius.org
Message-ID:
<614f5d520810131030h7d378003p8892fbd340e56d3f at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I've been trying for a few days to configure a new freeradius server with
mysql IP pools support and I noticed there's a few errors with the syntax of
some queries on sqlippool.conf for mysql.
First of all, some queries would never match because the schema provided
with freeradius for the radippools table would set the 'expiry_time' field
as default to NULL and then the queries would try something like expiry_time
< NOW(), which would never match if the field as NULL.
So, the correct schema for the database would be:
CREATE TABLE radippool (
id int(11) unsigned NOT NULL auto_increment,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
nasipaddress varchar(15) NOT NULL default '',
calledstationid VARCHAR(30) NOT NULL,
callingstationid VARCHAR(30) NOT NULL,
expiry_time DATETIME NOT NULL,
username varchar(64) NOT NULL default '',
pool_key varchar(30) NOT NULL,
PRIMARY KEY (id)
);
And the, the complete ippool.conf should be:
-- begin -----------
# ## This series of queries allocates an IP address
allocate-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, \
callingstationid = '', username = '', \
expiry_time = '0000-00-00' \
WHERE pool_key = '${pool-key}'"
## This series of queries allocates an IP address
## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port
## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
## from the WHERE clause)
allocate-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, \
callingstationid = '', username = '', \
expiry_time = '0000-00-00' \
WHERE expiry_time <= NOW() - INTERVAL 1 SECOND \
AND nasipaddress = '%{Nas-IP-Address}'"
## The ORDER BY clause of this query tries to allocate the same IP-address
## which user had last session...
allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < NOW() \
ORDER BY (username <> '%{User-Name}'), \
(callingstationid <> '%{Calling-Station-Id}'), \
expiry_time \
LIMIT 1 \
FOR UPDATE"
# ## If you prefer to allocate a random IP address every time, i
# ## use this query instead
# allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
# WHERE pool_name = '%{control:Pool-Name}' \
# AND expiry_time IS NULL \
# ORDER BY RAND() \
# LIMIT 1 \
# FOR UPDATE"
## If an IP could not be allocated, check to see if the pool exists or not
## This allows the module to differentiate between a full pool and no pool
## Note: If you are not running redundant pool modules this query may be
## commented out to save running this query every time an ip is not
allocated.
pool-check = "SELECT id FROM ${ippool_table} \
WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
## This is the final IP Allocation query, which saves the allocated ip
details
allocate-update = "UPDATE ${ippool_table} \
SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \
expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE framedipaddress = '%I'"
## This series of queries frees an IP number when an accounting
## START record arrives
start-update = "UPDATE ${ippool_table} \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'"
## This series of queries frees an IP number when an accounting
## STOP record arrives
stop-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
\
expiry_time = '0000-00-00' \
WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND framedipaddress = '%{Framed-IP-Address}'"
## This series of queries frees an IP number when an accounting
## ALIVE record arrives
alive-update = "UPDATE ${ippool_table} \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND framedipaddress = '%{Framed-IP-Address}'"
## This series of queries frees the IP numbers allocate to a
## NAS when an accounting ON record arrives
on-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
\
expiry_time = '0000-00-00' \
WHERE nasipaddress = '%{Nas-IP-Address}'"
## This series of queries frees the IP numbers allocate to a
## NAS when an accounting OFF record arrives
off-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
\
expiry_time = '0000-00-00' \
WHERE nasipaddress = '%{Nas-IP-Address}'"
-- end of file --------------
I might add I'm not any Mysql expert so any opinions about what I said are
really welcome... I've tested it and apparently it works and I couldn't find
any potential bugs so far...
I hope my english is not that rusty :)
--
Marcelus Trojahn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/8d600518/attachment.html>
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 42, Issue 80
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081014/d2971a08/attachment.html>
More information about the Freeradius-Users
mailing list