Accept message based on (ne type,group)
tnt at kalik.net
tnt at kalik.net
Thu Oct 30 19:29:44 CET 2008
>I'd like to use mysql based user authentication/authorization, with
>multiple NEs and multiple user groups.
>Ideally, the radius reply message should only return the VSAs
>appropriate for the vendor type x user group combination.
>
>So if user1 with permission of readonly logs into a "typeA" ne, it
>supplies the correct readonly VSAs for that box type.
>
>Today, with the standard config, the radgroupreply is including all
>vendor VSAs for the readonly group, no matter which vendor type the
>box is.
>
>mysql> select * from nas;
>+----+---------------+---------------+----------+-------+----------+---------------+--------------------+
>| id | nasname | shortname | type | ports | secret |
>community | description |
>+----+---------------+---------------+----------+-------+----------+---------------+--------------------+
>| 10 | 10.0.0.1 | ne1 | typeA | 0 |
>testpwd1 | commX | this is a alu box |
>| 11 | 10.0.0.2 | ne2 | typeB | 0 |
>testpwd2 | commY | this is a alu box |
>| 8 | 10.0.0.3 | ne3 | typeA | 0 |
>testpwd3 | commX |s is a wwp box |
>| 9 | 10.0.0.4 | ne4 | typeC | 0 |
>testpwd4 | commY | this is a 3750 box |
>+----+---------------+---------------+----------+-------+----------+---------------+--------------------+
>
You should read what (nas)type is in clients.conf and what values will
make sense. These don't.
>
>mysql> select * from radcheck;
>+----+----------+--------------------+----+-----------+
>| id | username | attribute | op | value |
>+----+----------+--------------------+----+-----------+
>| 1 | user1 | Password | == | barf |
>| 2 | user2 | Cleartext-Password | == | barf |
>| 3 | user3 | User-Password | == | barf |
>
This is wrong. Read instructions in FAQ, README or users file about which
password attribute and operator should you use.
>mysql> select * from radusergroup;
>+----------+-----------+----------+
>| username | groupname | priority |
>+----------+-----------+----------+
>| rouser | readonly | 1 |
>| techsup1 | admin | 1 |
>+----------+-----------+----------+
>
>mysql> select * from radgroupreply;
>+----+-----------+------------------------+----+---------------------+
>| id | groupname | attribute | op | value |
>+----+-----------+------------------------+----+---------------------+
>| 9 | readonly | Service-Type | := | NAS-Prompt-User |
>| 10 | readonly | Timetra-Access | := | console |
>| 11 | readonly | Timetra-Default-Action | := | none |
>| 12 | readonly | Timetra-Profile | := | readonly |
>| 13 | readonly | Cisco-AVPair | := | shell:priv-lvl=7 |
>| 14 | admin | Service-Type | := | Administrative-User |
>+----+-----------+------------------------+----+---------------------+
>
>
>I was wondering if there is a way to have the radgroupreply be vendor
>type based. I was thinking:
>1) the nas table already has a type field.
For a purpose.
>2) add a type field to radgroupreply.
>3) modify the the radgroupreply select to use the type. so something like:
>
>authorize_group_reply_query = "SELECT id, groupname, attribute, \
> value, op \
> FROM ${groupreply_table} \
> WHERE groupname = '%{Sql-Group}' AND radgroupreply.type =
>%{SELECT type from nas where nas.nasname = ???}
> ORDER BY id"
>
This can work but it will disable simultaneous use checking.
>Questions:
>a) Is this the right appoach?
No.
>b) Is there a better way?
>
Use NAS-IP-Address. If a single NAS is certain type add NAS-IP-Address
check to radgroupcheck. If there are more create huntgroups (in
huntgroups file) and add Hungroup-Name check to radgroupcheck.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list