Ruleset: The only users got access to GROUPNAS1 devices should be users from group USERGROUP1. The only users got access to GROUPNAS2 devices should be users from group USERGROUP2. For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7). For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions.
The RADIUS packets contain detailed information about NAS IP, etc. This is the information you will use to configure the above rules. If the rules don't contain this detailed information, the rules are too vague to be implemented.
I am login to some device using login+pass+ipaddress. Login and pass are in radcheck SQL table: 1 | login1 | Cleartext-Password | := | verystrongpass ipaddress is in table nas id | nasname | shortname | type | ports | secret | 6158 | 127.0.0.1 | freeradius-web-php | other | | verystrongsecret|
i.e. what information does it received in RADIUS? What attributes does it use to query SQL? What do those SQL queries look like?
Now I use vanillia queries from /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf. Less changes are better. I am testing locally: $ radtest -x login1 verystrongpass 172.20.100.3:1812 1 verystrongsecret Sent Access-Request Id 44 from 0.0.0.0:36238 to 172.20.100.3:1812 length 75 User-Name = "login1" User-Password = "verystrongpass" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "verystrongpass" Got response: Received Access-Accept Id 185 from 172.20.100.3:1812 to 172.20.100.3:41317 length 20 It just work.
You can use the result of one SQL query in another SQL query. Just put the intermediate data into an attribute. See raddb/dictionary for documentation on defining local attributes.
I will check that for sure.
These are still high level. You need to get into details as I had suggested in my earlier message.
Now...could I add something more? Its like learning new programming language.