SV: SV: Make sense of SQL Huntgroup HOWTO?

Joel Bergmark joel.bergmark at t3.se
Fri Dec 18 22:52:20 CET 2015


Thank you very very very much Matthew, this made my day! Also thanks to you others trying to help a network guy with this stuff.

Your solution at the end helped me greatly and it looks like its working as necessary :-)

I will document it properly and clear my config files and update the wiki and give credit to you Matthew!

Im very grateful! :-)

Kind regards and have a nice weekend
/Joel


-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Matthew Newton
Skickat: den 18 december 2015 22:28
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: SV: Make sense of SQL Huntgroup HOWTO?

On Fri, Dec 18, 2015 at 08:55:20PM +0000, Joel Bergmark wrote:
> This is what I ran:
> 
>         update request {
>                 Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>         }
>         if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
>                 reject
>         }


> rad_recv: Access-Request packet from host 46.23X.XX.170 port 1645, id=118, length=66
>         User-Name = "bl"
...

>         expand: %{sql:SELECT groupname FROM radhuntgroup WHERE 
> nasipaddress='%{NAS-IP-Address}'} -> Noc
> ++[request] returns notfound
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
> ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE

Huntgroup-Name here is "Noc", which is why it didn't match.

> ?? Skipping (SQL-Group != "2ndline")

...so it short-circuited and didn't even bother checking SQL-Group
- there's no point.

> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> 
> ++FALSE

So didn't reject.

> I expected to get reject on this login, but thats not happening, so I clearly don't understand all elements in this.
> 
> Or even better to allow 3rdline users to login to everything and 2ndline users to login to some equipment.

So your users are in two groups, namely "2ndline" or "3rdline"?

In which case you are only interested in the "2ndline" case if "3rdline" can access everything.

So you can start with

  if (SQL-Group == "2ndline") {

  ...

  }

which will skip the case the SQL-Group is 3rdline (or anything
else) in the ...

If you've got other groups you might want to make that 

  if (SQL-Group != "3rdline") {

instead, to match all users that are *not* in 3rdline.



Then once you've established users in 2ndline add extra stuff to reject on certain equipment, e.g.

  if (Huntgroup-Name != "2ndline") {
    reject
  }

or

  if (Huntgroup-Name == "3rdline") {
    reject
  }


Put together this could be

  if (SQL-Group == "2ndline") {
    if (Huntgroup-Name != "2ndline") {
      reject
    }
  }


which you can combine to come up with what was before (or
similar):

  if ((SQL-Group == "2ndline") && (Huntgroup-Name != "2ndline")) {
    reject
  }


But read the debug output - just find the bit where the if() is tested, which will tell you what it's testing and therefore what is or isn't matching.

Once you've done that you could for example join it all together into a policy that ends up something like

# only allow 2ndline to 2ndline kit
  if (SQL-Group == "2ndline") {
    if (Huntgroup-Name != "2ndline") {
      reject
    }
  }
# allow 3rdline to only access 3rdline and 2ndline kit
  elsif (SQL-Group == "3rdline") {
    if (Huntgroup-Name != "2ndline" && Huntgroup-Name != "3rdline") {
      reject
    }
  }
# else user can by default access everything except "restricted"
  else {
    if (Huntgroup-Name == "restricted") {
      reject
    }
  }

Does that help?

Matthew



--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list