Ok... so, here is my DB structure : Table radgroupcheck : +----+-----------+----------------+----+-------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------+ | 4 | hotel1 | Auth-Type | := | Local | | 5 | hotel1 | NAS-Identifier | == | LMS1 | +----+-----------+----------------+----+-------+ Table radusergroup : +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | user1 | hotel1 | 1 | +----------+-----------+----------+ Table radcheck: +----+----------+--------------------+----+----------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------------------------------+ | 33 | user1 | Cleartext-Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 | +----+----------+--------------------+----+----------------------------------+ Now when I log in with user1 from a NAS identified by "LMS2", here is the radius output : rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=37, length=225 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = "user1" CHAP-Challenge = 0xdb7c1d07effaa75dc2a70e21957a6c16 CHAP-Password = 0x003d1437701d38d34412b7379d215605df NAS-IP-Address = 10.101.0.1 Service-Type = Login-User Framed-IP-Address = 10.101.101.1 Calling-Station-Id = "00-1D-09-50-17-B2" Called-Station-Id = "00-1E-4F-DF-E2-58" NAS-Identifier = "LMS2" Acct-Session-Id = "48e484ab00000002" NAS-Port-Type = Wireless-802.11 NAS-Port = 2 WISPr-Logoff-URL = "http://10.101.0.1:3990/logoff" Message-Authenticator = 0x88ff270956703c81baa051c0bc3965fc +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "user1" with CHAP password rlm_chap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" for user user1 authentication. rlm_chap: chap user user1 authenticated succesfully ++[chap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 37 to 127.0.0.1 port 32782 Now as you can see, the radgroupcheck parameter NAS-Identifier == LMS1 did not mismatch... why ? super_tomtom wrote:
Hi ! I am actually setting up a freeradius server that will manage authentication from different places (hotels actually). I am just a beginner toward that technology, and i have one problem : I need to create some accounts that can be enabled at different places: for example you have an account in a hotel in London, then you could use the same account in another hotel of the same chain in ... Madrid for example. But, you could not not use this account in another hotel using the same solution (all my hotels will talk to the same freeradius server). ... I hope you understand my English, sorry about that... So here is the point: I need to check for each account in the radcheck table where does the Access-Request comes from. As some of the NAS will get their IP dynamically from their ISP, I cannot use the NAS-IP-Address parameter, so I would like to use the NAS-Identifier. As some of my accounts could be active for requests coming from several NAS, I thought I could use the radgroupcheck table, in a way like that :
radgroupcheck table : groupname | attribute | op | value myGroup | NAS-Identifier | == | myNASName
This parameter works in the radcheck tables, if the request comes from a wrong NAS Identifier freeradius sends a Access-Reject, but in the radgroupcheck table, nothing happens ...
Does anyone have an idea about that ? Thanks !
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.