SV: Make sense of SQL Huntgroup HOWTO?

Joel Bergmark joel.bergmark at t3.se
Fri Dec 18 18:31:17 CET 2015 

Thank you for the help! Indeed this looks more simplistic and nice! :)

Everything is in the SQL, necessary since using daloradius as frontend.

Just a follow up on: 	
	if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
		reject
	}
How to determine the 'SQL-Group' in  a simple way? Tried it as is to see how it behaved, and got:

+- entering group authorize {...}
sql_xlat
        expand: %{User-Name} -> bl
sql_set_user escaped user --> 'bl'
        expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
        expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> 3rdline
++[request] returns notfound
++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE
?? Skipping (SQL-Group != "2ndline")
++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE
++[chap] returns noop

Best regards, Joel

-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Alan DeKok
Skickat: den 18 december 2015 17:38
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: Make sense of SQL Huntgroup HOWTO?

On Dec 18, 2015, at 11:30 AM, Joel Bergmark <joel.bergmark at t3.se> wrote:
> What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.

  Then write that down.  It's pretty much that simple.

	if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
		reject
	}

  This assumes that the NAS groups are in Huntrgroup, and the user groups are in SQL.

> Assuming a user in 2ndline group trying to login to a NAS defined in 
> huntgroup to be 3rdline update request {
>        Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" {
>        }

  Formatting matters.

update request {
	Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
}

  Extra braces are a problem.

>        if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query)
>        reject
>        }

  Nope.  Just use my example from above.  It's simpler.

  That is, it assumes that the user groups are in SQL, too.

> Sorry if this is something not supposed to be dealt with on this 
> mailing list,

  It is exactly what's supposed to be discussed here.

> but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.

  That would be nice.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list