Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

[Fajar A. Nugraha]

On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <vladlevin at geo-logic.com> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161

-- 
Fajar