James Wakefield wrote:
isidoros wrote:
Thanks James for your answer,
I'm fairly new to freeradius I know the package only 14 days. (or radius in general for that matter)
The group configuration is a mystery to me. It is unclear for me how this separates the users. This is how I think 1) G1 with users A,B,C 2) G2 with users X,Y,Z 3) At a request the configuration determines which group the user belongs to 4) And makes a query for the users A until Z to the same database 5) the auth_query only talks about the user. 6) This is the point where a fail to understand that the group config helps me. The query is made to the same database on behalf of the any user.
Please spell it out to me where my thinking goes wrong. I would like the understand this group config thing better (if at all at this point in time).
Hi Isidoros,
In sql.conf,
authcheck_table = "radcheck" authreply_table = "radreply"
groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
groupcheck_table and usergroup_table are referred to here:
authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
This retrieves all the check items that apply to the group the user belongs to. The usergroup table maps users to groups, and radgroupcheck maps groups to check items. A check item, which will be a new term to you if you're a newbie, is an expression which is evaluated when deciding whether or not to authorize a request, such as User-Password == "mypassword", or Calling-Station-Id != "5554796".
When rlm_sql is invoked to authorize a request, the user's check items in radcheck are evaluated. When the user is in a group, this might only be to check User-Password. Then, authorize_group_check_query is used to retrieve check items for the user's group, which are then evaluated. If all the applicable check items, from both radcheck and radgroupcheck, match, then the reply items - Attribute=Value pairs sent from freeradius to the NAS when it sends the Access-Accept message for an authorized request - are retrieved by querying radreply, for reply items specific to the user, and radgroupreply, for reply items specific to the user's group.
Make any more sense?
In the meanwhile: I have solved the problem with the below changes:
in sql.conf replace this rule with: authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' AND \ Location = (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \ ORDER BY id"
in mysql
fill the nas table with your info: INSERT INTO nas (nasname, nasshortname, type, secret, Location) VALUES ('yournasname in chillspot', 'anyname' , 'other', 'shared secret', 'Location-number '. );
It works, but I have no idea if this is "best practice" or I'm seriously damaging the config.
Best practice is to not change any code if you don't have to. By using groups, you don't have to change any code. I wouldn't say you've "seriously damaged" the config, but you may find that it doesn't behave in the future. I would recommend spending the time getting groups and group checks to work, then reverting any SQL queries you've altered back to their defaults. It'll be much less painful in the long run.
Cheers,
James: I'm allmost there (now I'm thinking like this) 1) authorize_group_check_query: to check of the user is in a group 2) authorize_group_check_query: retrieve the check-items for this group (which is my solution) 3) authorize on the check-items. if the expression is like this "whether or not to authorize a request, such as User-Password == "mypassword", or Calling-Station-Id != "5554796". will all users in the same group authorize by the same password? I guess my question is: Is the group check additional to the user check. regards, isidoros