Assigning Users to Groups Dynamically

Fri Dec 18 18:36:11 CET 2015

It doesn’t appear anyone else has tried tackling this one (good reasons for that). FreeRadius does in fact provide the tools to help you accomplish what you are looking for. The solution, however, requires you to have a properly designed datastore in your AAA system. Indeed, the vast majority of work to implement any solution will be on the datastore, not FreeRadius. I imagine most other users here employ either a sql database, ldap directory, or both in there own system. I use OpenLDAP. I strongly recommend you do some research on how to implement role/group based access in LDAP.

I could be very wrong, but it seems like what you really want is access defined, not per user, or even user group, but rather by device class/group. That has it’s own issues, but… if I were to implement something like this in my own environment… I would start with records/nodes for the users, some radiusProfiles that bundle VSA’s for different classes of devices, and then records for the clients themselves, each with a virtual-server attribute that matches a virtual-server in FreeRadius. A virtual-server specific to that group/class of devices. Within that virtual server I’d call an ldap module defined to query for the radiusProfile which bundles the VSA’s that device class cares about. The virtual-server can then attached those VSA’s to the reply…

I’m still new to FreeRADIUS (really new), and the above was right off the top of my head, so there's surely a better way to do it. Actually you don’t even need multiple v-servers, just a control structure that calls the appropriate ldap module. But again, the work is largely in the datastore design, not the radius config. The more granular the access you need, the more complicated your data design will become. It’s not a fitting conversation for this list, so you need to do some reading. But I hope I’ve given you some direction.

> On Dec 16, 2015, at 4:23 PM, J Kephart <jkephart at safetynetaccess.com> wrote:
> 
> Hi!
> 
> I've been looking through the wiki, but thus far, I've not found
> anything that describes what I'd like to be able to do.
> 
> We manage on-site hardware for our clients, and that hardware includes
> routers, gateways, switches, etc.  What I'd like to be able to do is
> assign a user to a group dynamically, based on some identifying
> parameter received in the access request, and then have the group's
> attributes passed back in the access accept packet. 
> 
> So, for example, if any user wants to connect to Vendor A's gateway, we
> might have a group defined for that type of device containing:
> 
> vendor_a_gateway    Idle-Timeout    =    900
> vendor_a_gateway    VSA_1           =    xxx
> vendor_a_gateway    VSA_2           =    xxx
> vendor_a_gateway    VSA_3           =    xxx
> 
> Likewise, for Vendor B, we might have the following:
> 
> vendor_b_switch     Idle-Timeout    =    600
> vendor_b_switch     VSA_1           =    xxx
> vendor_b_switch     VSA_2           =    xxx
> vendor_b_switch     VSA_3           =    xxx
> 
> Ultimately, then, if a user logs on to a device that we can categorize
> as being Vendor A's gateway, we'd automatically associate that user with
> the group "vendor_a_gateway", and so on.  In that way, we hope to limit
> the number of attributes we need to manage for each user, instead having
> a short list of groups with attributes that can be assigned on the fly.
> 
> I don't know if I've explained this in a way that makes sense (I hope it
> makes sense to someone!), but I wonder if there's a way to do what I've
> described.
> 
> Hopefully,
> 
> Jim
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html