On Wed, Aug 1, 2012 at 4:52 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Aug 1, 2012 at 5:03 AM, Kaya Saman <kayasaman@gmail.com> wrote:
From what I can see it's quite non-complex config though one needs to understand the process of how RADIUS works and additionally the 'radius' way of doing things rather then say, a corporate network vendor way.
This helps: http://wiki.freeradius.org/Concepts
For now I have all the pieces to my jigsaw puzzle, minus defining a VLAN (tunnel ID) of last resort so if FR doesn't recognize the L2 address of a machine it should give it a specific tunnel-ID (VLAN).
There should be many ways to do that. If you assume that "normal" users would always have ONE Tunnel-Private-Group-Id reply attribute (in radreply), then you should be able to use unlang: http://freeradius.org/radiusd/man/unlang.html
You would then need to do something like this: - have "sql" module active in authorize block (you should already have that), which would populate reply attributes from rad(group)reply table - under that, have an unlang block that says "if there's no Tunnel-Private-Group-Id attribute in the reply, then add one". Something like (untested)
update reply { Tunnel-Private-Group-Id = 10 }
Replace the "10" there with whatever your Tunnel-Private-Group-Id for unknown users is, and the "=" operator will "Add the attribute to the list, if and only if an attribute of the same name is not already present in that list" (see unlang man page).
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot Fajar for that!! Unfortunately your suggestion didn't work and reading through the UNLANG doc you sent I came up with this: ...under Authorize section: sql #if (User-Name !== "") { if %{User-Name}:-{ update reply { Tunnel-Private-Group-Id = 80 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Preference = 0x000000 } } Which to my understanding should evaluate the %{User-Name} field and IF there is information in there return with the values provided after.... I'm almost there as I do get that in the response: rlm_sql (sql): Released sql socket id: 3 [sql] User 0015c5537baa not found ++[sql] returns notfound ++? if % Evaluating (%) -> TRUE ++? if % -> TRUE ++- entering if % {...} +++[reply] returns notfound ++- if % returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} ++- group REJECT returns noop Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 142 to 10.0.0.1 port 1645 Tunnel-Private-Group-Id:0 = "80" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Preference:0 = 0 Waking up in 4.9 seconds. Cleaning up request 0 ID 142 with timestamp +16 Ready to process requests. But unfortunately the user is getting an Access-Reject ID :-( Could it be that I have failed to include something?? Perhaps: update reply { Access = Accept .... Regards, Kaya