W dniu 2023-08-07 18:59, Alan DeKok napisał(a):
But where to put SQL query?
In the "authorize" section.
Thanks a lot. :)
The initial problem is *not* "how do I configure FreeRADIUS". The initial problem is to write down a set of rules you want FreeRADIUS to follow. Write the rules down as simple sentences, with as much detail as possble:
if the user is "login" use the NAS address from the Access-Accept to look up the group name in the nasgrouprestrictions table ...
Ok I trust You - I will try to get my case another words. The problem description: There are usergroups: USERGROUP1 { user1, user2, user3 } USERGROUP2 { user4, user5, user6, user1 } There is also { user7 } without group. There are nasgroups: GROUPNAS1 { device1, device2, device3 } GROUPNAS2 { device4, device5, device6, device1 } There is also { device7 } without group. Shortly: I need to get permission authorization (getting permission to device login) based on usergroups and nas groups. Ruleset: The only users got access to GROUPNAS1 devices should be users from group USERGROUP1. The only users got access to GROUPNAS2 devices should be users from group USERGROUP2. For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7). For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions. I think that creating two tables additional tables should be enough for storing permissions: nasgrouprestrictions (id, nasgroupname, nasname) [which nas is in what group] nasgroupchecks (id, groupname, nasgroupname) [which usergroup got access to whitch group of devices] Maybe there is better way to archieve this? I am very supprised that there are no standard structures in postgres/schema.sql for this basic need. Can I use result of one query in another check in freeradius or I need to build very long and almost unreadable SQL query? What You suggest?