design question

Matt Zagrabelny mzagrabe at d.umn.edu
Wed Mar 6 16:46:51 CET 2013


On Tue, Mar 5, 2013 at 9:17 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>
> On 5 Mar 2013, at 18:03, Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:
>
>> On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell
>> <a.cudbardb at freeradius.org> wrote:
>>
>>>
>>> You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices?
>>
>> Hi Arran,
>>
>> Thanks for the reply. I've grepped the wiki and mailing list archives
>> and could not answer the following:
>>
>> What do I change in the nas table (in the database) to mark the
>> network boxes as "special devices"? I see the schema as:
>>
>> CREATE TABLE nas (
>> id SERIAL PRIMARY KEY,
>> nasname VARCHAR(128) NOT NULL,
>> shortname VARCHAR(32) NOT NULL,
>> type VARCHAR(30) NOT NULL DEFAULT 'other',
>> ports int4,
>> secret VARCHAR(60) NOT NULL,
>> server VARCHAR(64),
>> community VARCHAR(50),
>> description VARCHAR(200)
>> );
>>
>> Is it the "server" field? If so, could you also briefly explain how to
>> apply that to group matching? (I have added users to groups using the
>> usergroup table, but haven't touched the radgroupcheck/reply yet.)
>
> So long as you're using static devices in clients.conf you can use the xlat expansion "%{client:<config item>}".

I am using static devices, but I am using a nas table in a PG
database. Does that affect the xlat expansion? I already had a
'shortname' (but not a group field) in the table schema and tried:
authorize {
    update request {
        Client-Group := "%{client:shortname}"
    }
    sql
}

Here is a snippet of the 'freeradius -X' output:

++[files] returns noop
expand: %{client:shortname} ->
++[request] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional

You can see that the expand didn't work as expected.

Data in the table looks like:

atlas=> SELECT * from radius_nas limit 1;
 id | nasname | shortname | type |     secret      | server
----+---------+-----------+------+-----------------+--------
 72 | ups    | ups      |      | sUperS3cret |
(1 row)

And also the configuration in dialup.conf:

nas_query = "SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}"

Any ideas?

Thanks,

-mz


More information about the Freeradius-Users mailing list