SV: Make sense of SQL Huntgroup HOWTO?

Fri Dec 18 21:55:20 CET 2015

I copy pasted the rules as you wrote them but they didn't work it allows a user defined as 2ndline to log on to equipment that’s 3rdline. I'm not enjoying to not be as clear as I would normally be, I work with networks, not so much freeradius or coding.

This is what I ran:

        update request {
                Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
        }
        if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
                reject
        }

Debuginfo: 

rad_recv: Access-Request packet from host 46.23X.XX.170 port 1645, id=118, length=66
        User-Name = "bl"
        User-Password = "asdfasdf"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 46.23X.XX.170
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
sql_xlat
        expand: %{User-Name} -> bl
sql_set_user escaped user --> 'bl'
        expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
        expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> Noc
++[request] returns notfound
++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE
?? Skipping (SQL-Group != "2ndline")
++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bl", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]   expand: %{User-Name} -> bl
[sql] sql_set_user escaped user --> 'bl'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'bl'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'bl'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'bl'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '2ndline'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "asdfasdf"
[pap] Using clear text password "asdfasdf"
[pap] User authenticated successfully
++[pap] returns ok

I expected to get reject on this login, but thats not happening, so I clearly don't understand all elements in this.

I just want this to work, http://wiki.freeradius.org/guide/SQL%20Huntgroup%20HOWTO
"Suppose you want to only allow the group site_a_admins to be used when logging into a NAS' at site_a . Assuming example_user was already a member of site_a_admins, you would follow the steps below."

Or even better to allow 3rdline users to login to everything and 2ndline users to login to some equipment.

Regards, Joel

-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Alan DeKok
Skickat: den 18 december 2015 21:43
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: Make sense of SQL Huntgroup HOWTO?

On Dec 18, 2015, at 3:38 PM, Joel Bergmark <joel.bergmark at t3.se> wrote:
> 
> I'm not sure I have been clear enough.
> 
> If conditions below is achieved ie, it's determined that user is 2ndline and nas is 3rdline then it's supposed to be rejected? If so then its not working since the radius allows access.

  The server does not have these rules by default.  If the rules you created don't do what you want, it's because the rules are wrong.

> If not, then I probably haven’t made myself understood, if user is recognized as 2ndline attempting to login to something belonging to 3rdline it should be rejected.

  Sure.

> Perhaps something more like this would work as described?
> 
>        update request {
>                Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>        }
>                if ((Huntgroup-Name == "2ndline" || SQL-Group != "2ndline")) {
>                reject
>        }

  No.  That does NOT do what you want.

  Why not use the rules I put in my previous message?  Are you changing them... just because?  Do you understand what they did?  Do you understand the difference between what I posted, and what you posted here?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html