how to use groups within freeradius
Gary T. Giesen
giesen at snickers.org
Mon Jul 4 23:10:12 CEST 2011
I'm trying to do the same thing as your second example:
I setup a group in radgroupcheck:
id groupname attribute op value
1 PVT NAS-IP-Address == 10.99.0.47
and the corresponding rows in radgroupreply:
id groupname attribute op value
26 PVT Auth-Type := Reject
27 PVT Reply-Message := Hello world!
rad_recv: Access-Request packet from host 10.99.0.47 port 1645,
id=108, length=146
Framed-Protocol = PPP
User-Name = "test.ca/branchtest1"
User-Password = "poochpatrol"
Calling-Station-Id = "bas110002200045"
Connect-Info = "155520000"
NAS-Port-Type = Virtual
NAS-Port = 46
NAS-Port-Id = "Uniq-Sess-ID46"
Service-Type = Framed-User
NAS-IP-Address = 10.99.0.47
[sql-auth] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= test.ca/branchtest1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'test.ca/branchtest1' ORDER BY
priority
[sql-auth] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'PVT' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'PVT' ORDER BY id
[sql-auth] User found in group PVT
[sql-auth] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'AKN-PVT' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'PVT' ORDER BY id
rlm_sql (sql-auth): Released sql socket id: 3
++[sql-auth] returns ok
Sending Access-Accept of id 108 to 10.99.0.47 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type := Framed-User
Framed-Protocol += PPP
Framed-IP-Address += 172.23.254.1
Cisco-AVPair += "lcp:interface-config#1=bandwidth 4032"
Cisco-AVPair += "lcp:interface-config#1=bandwidth receive 800"
Reply-Message += "Hello world!"
Finished request 2.
As you can see, it's definitely matching on the group, and even
applying one of the attributes (Reply-Message) but it's authenticating
the user (and obviously shouln't be). Any thoughts?
GG
On Tue, Jun 28, 2011 at 9:31 AM, Ken Felix <kfelix at jdltech.com> wrote:
> Phil
>
> you examples was straight on, and very helpful. I ended up using SQLgroup within "/etc/freeradius/users + huntgrousps" and the groups that I've created & it worked the very 1st time, & with no problems. To answer your other question, this is with freeradius version;
>
>
> root at TACACS:/etc/init.d# freeradius -v | grep Version
> freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:34
> root at TACACS:/etc/init.d#
>
>
> Thanks
>
>
> -----Original Message-----
> From: freeradius-users-bounces+kfelix=jdltech.com at lists.freeradius.org on behalf of Phil Mayers
> Sent: Tue 6/28/2011 3:55 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: how to use groups within freeradius
>
> On 06/27/2011 09:29 PM, Ken Felix wrote:
>>
>> Can anybody post a simple howto with regards to using groups within
>> freeradius? What we would like todo is restricted some user from
>> logging into various firewalls. I've created usergroups and defined
>>
>
> Which version of FreeRADIUS are you using?
>
> Anyway, the group config you've written doesn't do what you want. All it
> says is "if you're this username and coming from these IPs, you're in
> the gruop".
>
> You're not actually acting in the group membership.
>
> There are lots of ways to do this, but personally I prefer to keep SQL
> groups entirely user-based, and use huntgroups for NAS IPs, then compare
> the two. So:
>
> raddb/huntgrousp:
>
> restricted NAS-IP-Address == 192.0.2.1
>
> raddb/sites-enabled/xxx:
>
> authozie {
> if (Huntgroup-Name == restricted) {
> if (SQL-Group == "restricted") {
> # ok to login
> }
> else {
> reject
> }
> }
> }
>
> ...or if you prefer to us a "users" file, in raddb/users:
>
> DEFAULT Huntgroup-Name == restricted, SQL-Group == "restricted"
> Fall-Through = No
> DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject
> Fall-Through = No
>
>
> There are lots of other ways to accomplish this. The point being, you
> need to actually check the group, and if you define the group so that it
> depends on the username, and they thing they're permitted to access,
> then you're essentially writing a whitelist and would need something
> like, in your example, raddb/users:
>
> DEFAULT SQL-Group == xxx
> Fall-Through = No
>
> DEFAULT SQL-Group == yyy
> Fall-Through = No
>
> DEFAULT Auth-Type := Reject
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list