Restricting access for some devices to some groups
Hi, I would like to restrict access to some devices (using ipaddresses). How do You assign group privileges with freeradius? (I tried to find some docs but without good results) I try: In SQL database: 1. I added table "nasgrouprestrictions" (id, nasname, groupname), Example DB results: (1, 10.100.0.1, superadm) (2, 10.100.0.1, users) (3, 10.100.0.2, superadm) (4, 10.100.0.3, users) 2. I created group "superadm" and assigned users in table radusergroup, login1, login2 are in "users" group login3 is in "superadm" and "users" group How to allow: login3 to login into all 10.100.0.{1,2,3} hosts and login1, login2 to login into only 10.100.0.{1,3} hosts ? But where to put SQL query? -- Jarosław Kłopotek, kom. 607 893 111 INTERDUO Bujek Kłopotek Sowa sp.j. ul. Krańcowa 17, 21-100 Lubartów tel. 81 475 3000
On Aug 7, 2023, at 11:58 AM, Jarosław Kłopotek <jkl@interduo.pl> wrote:
Hi, I would like to restrict access to some devices (using ipaddresses).
How do You assign group privileges with freeradius?
Define a group. Then if the group matches, assign authorization.
(I tried to find some docs but without good results)
Yes, there is no documentation on exactly what you want to do. The documentation instead describes how the server works. It lets you put the pieces together.
I try: In SQL database: 1. I added table "nasgrouprestrictions" (id, nasname, groupname),
The server doesn't look at that group, so you will need to update the configuration to run a SELECT query to search the table.
2. I created group "superadm" and assigned users in table radusergroup, login1, login2 are in "users" group login3 is in "superadm" and "users" group
Ok...
How to allow: login3 to login into all 10.100.0.{1,2,3} hosts and login1, login2 to login into only 10.100.0.{1,3} hosts ?
But where to put SQL query?
In the "authorize" section. if ((User-Name == "login3") && ("%{sql:SELECT ...}" == "...") { ... do stuff } The initial problem is *not* "how do I configure FreeRADIUS". The initial problem is to write down a set of rules you want FreeRADIUS to follow. Write the rules down as simple sentences, with as much detail as possble: if the user is "login" use the NAS address from the Access-Accept to look up the group name in the nasgrouprestrictions table ... etc. Once you have a clear description of the problem you want to solve, it's a lot easier to configure FreeRADIUS. Alan DeKok.
W dniu 2023-08-07 18:59, Alan DeKok napisał(a):
But where to put SQL query?
In the "authorize" section.
Thanks a lot. :)
The initial problem is *not* "how do I configure FreeRADIUS". The initial problem is to write down a set of rules you want FreeRADIUS to follow. Write the rules down as simple sentences, with as much detail as possble:
if the user is "login" use the NAS address from the Access-Accept to look up the group name in the nasgrouprestrictions table ...
Ok I trust You - I will try to get my case another words. The problem description: There are usergroups: USERGROUP1 { user1, user2, user3 } USERGROUP2 { user4, user5, user6, user1 } There is also { user7 } without group. There are nasgroups: GROUPNAS1 { device1, device2, device3 } GROUPNAS2 { device4, device5, device6, device1 } There is also { device7 } without group. Shortly: I need to get permission authorization (getting permission to device login) based on usergroups and nas groups. Ruleset: The only users got access to GROUPNAS1 devices should be users from group USERGROUP1. The only users got access to GROUPNAS2 devices should be users from group USERGROUP2. For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7). For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions. I think that creating two tables additional tables should be enough for storing permissions: nasgrouprestrictions (id, nasgroupname, nasname) [which nas is in what group] nasgroupchecks (id, groupname, nasgroupname) [which usergroup got access to whitch group of devices] Maybe there is better way to archieve this? I am very supprised that there are no standard structures in postgres/schema.sql for this basic need. Can I use result of one query in another check in freeradius or I need to build very long and almost unreadable SQL query? What You suggest?
On Aug 7, 2023, at 3:07 PM, jkl@interduo.pl wrote:
The problem description:
There are usergroups: USERGROUP1 { user1, user2, user3 } USERGROUP2 { user4, user5, user6, user1 } There is also { user7 } without group.
There are nasgroups: GROUPNAS1 { device1, device2, device3 } GROUPNAS2 { device4, device5, device6, device1 } There is also { device7 } without group.
OK...
Shortly: I need to get permission authorization (getting permission to device login) based on usergroups and nas groups.
Ruleset: The only users got access to GROUPNAS1 devices should be users from group USERGROUP1. The only users got access to GROUPNAS2 devices should be users from group USERGROUP2. For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7). For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions.
These are still high level. You need to get into details as I had suggested in my earlier message. The RADIUS packets contain detailed information about NAS IP, etc. This is the information you will use to configure the above rules. If the rules don't contain this detailed information, the rules are too vague to be implemented. i.e. what information does it received in RADIUS? What attributes does it use to query SQL? What do those SQL queries look like?
I think that creating two tables additional tables should be enough for storing permissions: nasgrouprestrictions (id, nasgroupname, nasname) [which nas is in what group] nasgroupchecks (id, groupname, nasgroupname) [which usergroup got access to whitch group of devices]
Maybe there is better way to archieve this?
I am very supprised that there are no standard structures in postgres/schema.sql for this basic need.
It's not common enough to be needed in the default configuration.
Can I use result of one query in another check in freeradius or I need to build very long and almost unreadable SQL query? What You suggest?
You can use the result of one SQL query in another SQL query. Just put the intermediate data into an attribute. See raddb/dictionary for documentation on defining local attributes. Alan DeKok.
Ruleset: The only users got access to GROUPNAS1 devices should be users from group USERGROUP1. The only users got access to GROUPNAS2 devices should be users from group USERGROUP2. For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7). For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions.
The RADIUS packets contain detailed information about NAS IP, etc. This is the information you will use to configure the above rules. If the rules don't contain this detailed information, the rules are too vague to be implemented.
I am login to some device using login+pass+ipaddress. Login and pass are in radcheck SQL table: 1 | login1 | Cleartext-Password | := | verystrongpass ipaddress is in table nas id | nasname | shortname | type | ports | secret | 6158 | 127.0.0.1 | freeradius-web-php | other | | verystrongsecret|
i.e. what information does it received in RADIUS? What attributes does it use to query SQL? What do those SQL queries look like?
Now I use vanillia queries from /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf. Less changes are better. I am testing locally: $ radtest -x login1 verystrongpass 172.20.100.3:1812 1 verystrongsecret Sent Access-Request Id 44 from 0.0.0.0:36238 to 172.20.100.3:1812 length 75 User-Name = "login1" User-Password = "verystrongpass" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "verystrongpass" Got response: Received Access-Accept Id 185 from 172.20.100.3:1812 to 172.20.100.3:41317 length 20 It just work.
You can use the result of one SQL query in another SQL query. Just put the intermediate data into an attribute. See raddb/dictionary for documentation on defining local attributes.
I will check that for sure.
These are still high level. You need to get into details as I had suggested in my earlier message.
Now...could I add something more? Its like learning new programming language.
participants (3)
-
Alan DeKok -
Jarosław Kłopotek -
jkl@interduo.pl