Conditional radreply with Freeradius. Possible somehow ?

Pere Hospital pere at secways.com
Wed May 26 11:13:56 CEST 2010


	Thx for the answer. 

	I have gone again through the SQL wiki. What I am not able to
find anywhere (and think that it is what we exactly need) is how to
emulate this behaviour of check/reply items that you can get via the
users file. i.e. from users file:

# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups
file).
#
# Note that by setting "Fall-Through", other attributes will be added
from
# the following DEFAULT entries
#
#swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen"
#		Framed-IP-Address = 192.168.1.65,
#		Fall-Through = Yes

Here you are checking for two parameters (service-type, huntgroup ...
in our case could be cleartext pass and nas-identifier) and then if
both checks succeed return the framed ip.

	This is what I can't see how to do with sql module as radreply
is related just to the username. 

	From SQL Wiki :

"In radreply, create entries for each user-specific radius reply
attribute against their username" --> against their username and not
username + nas-identifier i.e.).

and again 

"If check attributes are found, and there's a match, pull the reply
items from the radreply table for this user and add them to the reply "
--> for this user, so again no info about this user+other
requirements ...

	Also:

>   Though since these rules are NAS based and not user based, I would
> suggest simply writing them in the configuration.  See "man unlang".

	Well, rules are user + NAS based. A user will get a certain IP
only if he connects to a certain NAS. And from what you say I assume
that configuration files + sql can be used at the same time ?. 

	Sorry to be so lost here :)


	Pere

On Wed, 26 May 2010 09:18:49 +0200
Alan DeKok <aland at deployingradius.com> wrote:

> Pere Hospital wrote:
> > So the logic of the process would be :
> > 
> > Receive auth request from VPN server
> > ---> Authenticate/Authorize user (via radcheck, checking expiration
> > date, number of simultaneous logins ...). ---> If NAS-Identifier = X
> > then return (via radreply)  Framed-IP-Address=Y ---> If
> > NAS-Identifier = Z then return (via radreply)  Framed-IP-Address=W
> > ---> otherwise don't return a Framed-IP-Address
> > 
> > Is this possible somehow ?
> 
>   Yes.
> 
> > We are using SQL module in freeradius.
> 
>   See the Wiki for how the SQL module works.
> 
>   Though since these rules are NAS based and not user based, I would
> suggest simply writing them in the configuration.  See "man unlang".
> 
>   And upgrade to 2.1.9...
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



-- 
Pere Hospital, CISSP®, OSCP®
secWays
Security First

p: +34 933905455
m: +34 649827299
e: pere at secways.com
w: www.secways.com

PGP keyid: 0x100D35BDA0F669A8 
http://keyserver.pgp.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100526/e38d9ced/attachment.pgp>


More information about the Freeradius-Users mailing list