a little help here guys???<br><br><div class="gmail_quote">On Fri, Jan 22, 2010 at 9:58 AM, Satyam Mathura <span dir="ltr"><<a href="http://satz.sm">satz.sm</a>@<a href="http://gmail.com">gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">OK i'm back to my original question.<br>How do i get FreeRadius working with a MySQL back-end to do the following:<br>
a. Reject a user if that user is in a group which is not allowed to access devices in a specific huntgroup.<br>
b. Allow a user if that user is in the appropriate group which is allowed to access devices in a specific huntgroup.<br>c. Do not allow blank passwords for users.<br><br>As stated before my huntgroup & radgroupcheck configs look like<br>
<br>my radhuntgroup config:<br>+----+-----------+------------<div><div class="im">----+----------------+------------------+<br>
| id | groupname | nasipaddress | nasportid | usergroup |<br>+----+-----------+----------------+----------------+------------------+<br>| 1 | admin | 192.168.1.1 | tty | engineeringadmin |<br>
<br><br></div><div class="im">my radgroupcheck config:<br>+----+------------------+----------------+----+----------------+<br>| id | groupname | attribute | op | value |<br>+----+------------------+----------------+----+----------------+<br>
| 5 | engineeringadmin | Huntgroup-Name | == | admin | <br>| 6 | engineeringadmin | Auth-Type | := | Accept | </div></div><br><br>Based on the help of previous posters, Rule 6 in radgroupcheck allows users to access a nas once their username is correct even if they supply a blank password.<br>
There must be a way around this. What am i doing wrong?<div><div></div><div class="h5"><br><br><br><div class="gmail_quote">On Thu, Jan 21, 2010 at 7:28 PM, Satyam Mathura <span dir="ltr"><<a href="http://satz.sm" target="_blank">satz.sm</a>@<a href="http://gmail.com" target="_blank">gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Quick update. <br>Although the radius server no longer accepts blank passwords, i now have a problem where users who belong to groups which are not allowed to access nas devices in certain huntgroups can now do so.<br>
Any ideas?<div><div></div><div><br>
<br><div class="gmail_quote">On Thu, Jan 21, 2010 at 7:14 PM, Satyam Mathura <span dir="ltr"><<a href="http://satz.sm" target="_blank">satz.sm</a>@<a href="http://gmail.com" target="_blank">gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The reason i had those configs was because they were outlined as steps to reject authentication by default in the guide i was using.<div><br><a href="http://wiki.freeradius.org/SQL_Huntgroup_HOWTO" target="_blank">http://wiki.freeradius.org/SQL_Huntgroup_HOWTO</a><br>
<br></div><span style="color: rgb(51, 51, 255);">"Note: If you want to reject authentication by default then edit the
raddb/users file and add this:
</span>
<pre style="color: rgb(51, 51, 255);">DEFAULT Auth-Type := Reject<br></pre>
<p style="color: rgb(51, 51, 255);">Then add Auth-Type Accept with := as op in radgroupcheck for each group"</p><p><br></p><p>I've commented out the DEFAULT Auth-Type := Reject in the users file<br></p><p>and removed the Auth-Type := Accept from the radgroupcheck table and the server no longer accepts a blank password.</p>
<p><br></p><p>Guide is incorrect or needs updating?</p><p>Thanks for the help guys.<br></p><div><div></div><div><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><div class="gmail_quote">On Thu, Jan 21, 2010 at 6:58 PM, Bjørn Mork <span dir="ltr"><<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Satyam Mathura <<a href="http://satz.sm" target="_blank">satz.sm</a>@<a href="http://gmail.com" target="_blank">gmail.com</a>> writes:<br>
<br>
> Line 204 in my users file is the following:<br>
> DEFAULT Auth-Type := Reject<br>
<br>
</div>You don't want that. It removes the server's ability to figure it out<br>
by itself.<br>
<div><br>
<br>
> my radgroupcheck config:<br>
> +----+------------------+----------------+----+----------------+<br>
> | id | groupname | attribute | op | value |<br>
> +----+------------------+----------------+----+----------------+<br>
> | 5 | engineeringadmin | Huntgroup-Name | == | admin |<br>
> | 6 | engineeringadmin | Auth-Type | := | Accept |<br>
<br>
</div>Why? This will make the server act as you describe: Any username in the<br>
engineeringadmin group will be accepted regardless of password.<br>
<font color="#888888"><br>
<br>
Bjørn<br>
</font><div><div></div><div><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></blockquote></div><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br>