Fw: Grant access to a groups of users to a determinated subnets

Condor condor_bulto at yahoo.com
Tue Feb 4 14:16:43 CET 2020 

Sorry here is in plain text i guest (i seeing right) 


----- Forwarded Message -----

From: Condor <condor_bulto at yahoo.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>; Matthew Newton <mcn at freeradius.org>
Sent: Tuesday, February 4, 2020, 09:44:32 AM GMT-3
Subject: Re: Grant access to a groups of users to a determinated subnets




Now if i do this:

    (0)    if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE 
        (NAS-IP-Address=192.168.212.250)

But, if i do this:
    if (<ipv4prefix>192.168.212.250 < 192.168.0.0/16)  -> TRUE

in sites-available/default

autorize part:

       if (<ipaddr>"192.168.212.254" < 192.168.208.0/24) {
          update control {
            &Huntgroup-Name == "gtest003"
                }
       }

In users

test003 Crypt-Password := "$1$jwGqjrOP$zLsB3uUlLsTx2wG.bj7uD0", Huntgroup-Name == gtest003
        Auth-Type = System,
        Service-Type = Login,
        Reply-Message = "Hello test003",

In huntgroup: Nothing

Radius -X (brief)

(0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16) 
(0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  -> TRUE
(0)   if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  {
(0)    update control {
(0)  &Huntgroup-Name = 'gtest003'
(0)    } # update control = noop
(0)   } # if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  = noop
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "test003", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)   [files] = noop
(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(0)  WARNING: pap : Authentication will fail unless a "known good" password is available


What i doing wrong?
There is a easy way to match groups of NAS-address (subnets or list) matched with users? try huntgroups (with regex) and unlang (that piece of code)

Please throw me a rope, 

thanks!





On Monday, February 3, 2020, 10:44:56 AM GMT-3, Condor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote: 





Same thing with "<"  if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE
 
    On Monday, February 3, 2020, 10:41:35 AM GMT-3, Condor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:  

  One thing fixed: if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16) 

instead:
if (&NAS-IP-Address < 192.168.0.0/16) 

In radiusd -X if (<ipv4prefix>&NAS-IP-Address == 192.168.0.0/16)  -> FALSE
Any idea?Thanks!
    On Monday, February 3, 2020, 10:04:36 AM GMT-3, Condor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:  

  Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <mcn at freeradius.org> wrote:


On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


-- 
Matthew


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list