One more question, Can I use a combination or the users file and the SQL at the same time? I'm thinking of enabling the users file and enter all the DEFAULT entries in there but still keep the users in SQL and have authentication fall-trhough the users file to the SQL file. Will this work? Adrian -----Original Message----- From: freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org [mailto:freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org] On Behalf Of Adrian Sent: Wednesday, February 27, 2008 6:04 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-Group? - different replies to different NASes? Hello Ivan, I haven't had much luck with setting this up. We use a mysql DB and in the sql.conf file I don't use the DEFAULT Profile section nor do we use the users file. I've spoken with a few friends and they were able to get this working but in a flat-file environment (I.e using the users file and using the DEFAULT you've mentioned below) Is there a way to get this working with SQL without hacking the SLQ statements? I was thinking of modifying the authorization query in sql.conf (authorize_group_check_query) to utilize a Huntgroup-Name Attribute in the radgroupcheck table. Not sure if this will even work. Here is the original query: authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" Here is the proposed changed query: authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.NASGroup = ${groupcheck_table}.NASGroup ORDER BY ${groupcheck_table}.id" For the above to work I would have to introduce a new column in the usergroup table called NASGroup and also in the radcheckgroup table. This sounds like a lot of work and maybe unnecessary. I'm pretty sure this works with huntgroups and flat files...how can I make it work with SQL? Will my answer be turning up "Default Profile" under the sql.conf file of the radius server? Best regards, Adrian -----Original Message----- From: freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org [mailto:freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org] On Behalf Of Adrian Sent: Tuesday, February 26, 2008 5:09 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-Group? - different replies to different NASes? Thanks Ivan, I will give that a try. Thanks for all your help. Adrian -----Original Message----- From: freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org [mailto:freeradius-users-bounces+adrian=dsl4u.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, February 26, 2008 2:37 PM To: FreeRadius users mailing list Subject: RE: NAS-Group? - different replies to different NASes?
A: I have a set of "master" tunnel attributes that I always have to send to this Telco. i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password, Tunnel-Server-Endpoint..etc The way this Telco obtains these attributes is by sending the Username/Password combination my way. (i.e. I need to authenticate userxyz@telco.com). Once I see that user come through from their boxes (3 Static IPs) I have to send back to them the tunnel attributes above. Once the tunnel attributes were sent, they establish an L2TP tunnel to my LNS
and
my LNS now asks my Radius server again to authenticate the user. So I see the same userxyz@telco.com requesting to be authenticated. Since I currently cannot distinguish between NASes I am sending the same Tunnel Attributes to my LNS which causes my LNS to try to initiate a tunnel back to itself (because the Tunnel-Server-Endpoint attribute is the actual LNS). ++++++++++++++++++++++++++++++++++++++
This is very strange. That information should be on telco radius server, not yours. It should not have to proxy requests to you. They ought to know the tunnel endpoint - *they* gave you the IP to set on your router when they leased you the line. Simplest thing to do is to create a huntgroup caled LAC and place those static IPs there. Then put something like this i your users file: DEFAULT Huntgroup-Name == "LAC", Auth-Type := Accept Reply-Message = "You are one strange telco", and list other reply attributes that you need to send them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html