Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined mysql> select * from usergroup ; +------------------+-------------+----------+ | UserName | GroupName | priority | +------------------+-------------+----------+ | | login users | 1 | | asa1.test | adminasa | 1 | | test.user | Login users | 1 | +------------------+-------------+----------+ and mysql> select * from radgroupcheck ; +----+-----------+----------------+----+----------------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+----------------+ | 1 | adminasa | NAS-IP-Address | == | 10.252.128.11 | | 2 | adminasa | NAS-IP-Address | == | 10.252.253.199 | | 3 | adminasa | NAS-IP-Address | == | 10.250.32.68 | | 4 | adminasa | NAS-IP-Address | == | 10.250.32.69 | | 5 | adminasa | NAS-IP-Address | == | 10.254.32.68 | | 6 | adminasa | NAS-Identifier | == | 10.252.128.11 | +----+-----------+----------------+----+----------------+ 6 rows in set (0.00 sec) debug shows the following; Sending Access-Reject of id 10 to 10.159.103.154 port 1812 Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67 User-Name = "asa1.test" User-Password = "33333333333330" NAS-IP-Address = 10.252.128.11 NAS-Port = 43 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "asa1.test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 modcall[authorize]: module "files" returns notfound for request 18 radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user --> 'asa1.test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 18 modcall: leaving group authorize (returns ok) for request 18 auth: type Crypt Login OK: [asa1.test] (from client SBBC port 43) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 18 rlm_sql (sql): Processing sql_postauth radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user --> 'asa1.test' radius_xlat: 'INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')' radius_xlat: '/var/log/freeradius/sqltrace.sql' rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '') rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module "sql" returns ok for request 18 modcall: leaving group post-auth (returns ok) for request 18 Sending Access-Accept of id 40 to 10.252.128.11 port 1025 Service-Type = Dialout-Framed-User Finished request 18 Going to the next request So I need some starting point of what/where to look at. Thanks
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using? Anyway, the group config you've written doesn't do what you want. All it says is "if you're this username and coming from these IPs, you're in the gruop". You're not actually acting in the group membership. There are lots of ways to do this, but personally I prefer to keep SQL groups entirely user-based, and use huntgroups for NAS IPs, then compare the two. So: raddb/huntgrousp: restricted NAS-IP-Address == 192.0.2.1 raddb/sites-enabled/xxx: authozie { if (Huntgroup-Name == restricted) { if (SQL-Group == "restricted") { # ok to login } else { reject } } } ...or if you prefer to us a "users" file, in raddb/users: DEFAULT Huntgroup-Name == restricted, SQL-Group == "restricted" Fall-Through = No DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject Fall-Through = No There are lots of other ways to accomplish this. The point being, you need to actually check the group, and if you define the group so that it depends on the username, and they thing they're permitted to access, then you're essentially writing a whitelist and would need something like, in your example, raddb/users: DEFAULT SQL-Group == xxx Fall-Through = No DEFAULT SQL-Group == yyy Fall-Through = No DEFAULT Auth-Type := Reject
Phil you examples was straight on, and very helpful. I ended up using SQLgroup within "/etc/freeradius/users + huntgrousps" and the groups that I've created & it worked the very 1st time, & with no problems. To answer your other question, this is with freeradius version; root@TACACS:/etc/init.d# freeradius -v | grep Version freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:34 root@TACACS:/etc/init.d# Thanks -----Original Message----- From: freeradius-users-bounces+kfelix=jdltech.com@lists.freeradius.org on behalf of Phil Mayers Sent: Tue 6/28/2011 3:55 AM To: freeradius-users@lists.freeradius.org Subject: Re: how to use groups within freeradius On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using? Anyway, the group config you've written doesn't do what you want. All it says is "if you're this username and coming from these IPs, you're in the gruop". You're not actually acting in the group membership. There are lots of ways to do this, but personally I prefer to keep SQL groups entirely user-based, and use huntgroups for NAS IPs, then compare the two. So: raddb/huntgrousp: restricted NAS-IP-Address == 192.0.2.1 raddb/sites-enabled/xxx: authozie { if (Huntgroup-Name == restricted) { if (SQL-Group == "restricted") { # ok to login } else { reject } } } ...or if you prefer to us a "users" file, in raddb/users: DEFAULT Huntgroup-Name == restricted, SQL-Group == "restricted" Fall-Through = No DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject Fall-Through = No There are lots of other ways to accomplish this. The point being, you need to actually check the group, and if you define the group so that it depends on the username, and they thing they're permitted to access, then you're essentially writing a whitelist and would need something like, in your example, raddb/users: DEFAULT SQL-Group == xxx Fall-Through = No DEFAULT SQL-Group == yyy Fall-Through = No DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm trying to do the same thing as your second example: I setup a group in radgroupcheck: id groupname attribute op value 1 PVT NAS-IP-Address == 10.99.0.47 and the corresponding rows in radgroupreply: id groupname attribute op value 26 PVT Auth-Type := Reject 27 PVT Reply-Message := Hello world! rad_recv: Access-Request packet from host 10.99.0.47 port 1645, id=108, length=146 Framed-Protocol = PPP User-Name = "test.ca/branchtest1" User-Password = "poochpatrol" Calling-Station-Id = "bas110002200045" Connect-Info = "155520000" NAS-Port-Type = Virtual NAS-Port = 46 NAS-Port-Id = "Uniq-Sess-ID46" Service-Type = Framed-User NAS-IP-Address = 10.99.0.47 [sql-auth] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = test.ca/branchtest1' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'test.ca/branchtest1' ORDER BY priority [sql-auth] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'PVT' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'PVT' ORDER BY id [sql-auth] User found in group PVT [sql-auth] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'AKN-PVT' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'PVT' ORDER BY id rlm_sql (sql-auth): Released sql socket id: 3 ++[sql-auth] returns ok Sending Access-Accept of id 108 to 10.99.0.47 port 1645 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Service-Type := Framed-User Framed-Protocol += PPP Framed-IP-Address += 172.23.254.1 Cisco-AVPair += "lcp:interface-config#1=bandwidth 4032" Cisco-AVPair += "lcp:interface-config#1=bandwidth receive 800" Reply-Message += "Hello world!" Finished request 2. As you can see, it's definitely matching on the group, and even applying one of the attributes (Reply-Message) but it's authenticating the user (and obviously shouln't be). Any thoughts? GG On Tue, Jun 28, 2011 at 9:31 AM, Ken Felix <kfelix@jdltech.com> wrote:
Phil
you examples was straight on, and very helpful. I ended up using SQLgroup within "/etc/freeradius/users + huntgrousps" and the groups that I've created & it worked the very 1st time, & with no problems. To answer your other question, this is with freeradius version;
root@TACACS:/etc/init.d# freeradius -v | grep Version freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:34 root@TACACS:/etc/init.d#
Thanks
-----Original Message----- From: freeradius-users-bounces+kfelix=jdltech.com@lists.freeradius.org on behalf of Phil Mayers Sent: Tue 6/28/2011 3:55 AM To: freeradius-users@lists.freeradius.org Subject: Re: how to use groups within freeradius
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using?
Anyway, the group config you've written doesn't do what you want. All it says is "if you're this username and coming from these IPs, you're in the gruop".
You're not actually acting in the group membership.
There are lots of ways to do this, but personally I prefer to keep SQL groups entirely user-based, and use huntgroups for NAS IPs, then compare the two. So:
raddb/huntgrousp:
restricted NAS-IP-Address == 192.0.2.1
raddb/sites-enabled/xxx:
authozie { if (Huntgroup-Name == restricted) { if (SQL-Group == "restricted") { # ok to login } else { reject } } }
...or if you prefer to us a "users" file, in raddb/users:
DEFAULT Huntgroup-Name == restricted, SQL-Group == "restricted" Fall-Through = No DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject Fall-Through = No
There are lots of other ways to accomplish this. The point being, you need to actually check the group, and if you define the group so that it depends on the username, and they thing they're permitted to access, then you're essentially writing a whitelist and would need something like, in your example, raddb/users:
DEFAULT SQL-Group == xxx Fall-Through = No
DEFAULT SQL-Group == yyy Fall-Through = No
DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Gary T. Giesen -
Ken Felix -
Phil Mayers