Huntgroup Implementation with MySQL and Radgroupcheck
I'm looking for some help with the implementation of huntgroups. Am using mysql and have followed the following topic through: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html In sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } And the debug log show's this query's working: expand: %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} -> Location One In my radgroupcheck table, I've added Huntgroup-Name == Location One I've also modified my authorize_group_check_query in dialup.conf as per a recommendation authorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id" (Which doesn't make logical sense to me) What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from? For example, a user from IP 1.x.x.x should be allowed access at location 1 only.
I forgot to mention that the look up works if I enter the Huntgroup-Name in radcheck. For some reason, it's just failing in radgroupcheck On Jul 26, 2012, at 09:51 AM, Jenny Blunt <jennyshoehorn@me.com> wrote: I'm looking for some help with the implementation of huntgroups. Am using mysql and have followed the following topic through: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html In sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } And the debug log show's this query's working: expand: %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} -> Location One In my radgroupcheck table, I've added Huntgroup-Name == Location One I've also modified my authorize_group_check_query in dialup.conf as per a recommendation authorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id" (Which doesn't make logical sense to me) What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from? For example, a user from IP 1.x.x.x should be allowed access at location 1 only. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/26/2012 09:51 AM, Jenny Blunt wrote:
I'm looking for some help with the implementation of huntgroups.
Am using mysql and have followed the following topic through:
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html
In sites-available/default I have this, (just after preprocess:
update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }
Don't do this. Read the 2nd email in the thread you linked to. Huntgroup-Name is a special attribute; comparisons are executed dynamically. You can't just use it like an ordinary string attribute. Define another attribute in raddb/dictionary: ATTRIBUTE SQL-Location 3010 string ...and use that.
authorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id"
(Which doesn't make logical sense to me)
It doesn't make sense to me either. So why do it?
What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from?
For example, a user from IP 1.x.x.x should be allowed access at location 1 only.
I don't know what this means. Write down the policy you want in plain english. Figure out what sources of data you need to execute that policy. Read those sources of data into attributes. Write a policy to check them. For example: authorize { update request { SQL-Location = "%{sql:select location from ...}" } if (NAS-IP-Address =~ /^1\./) { if (SQL-Location != "Location 1") { reject } } }
Hi Phil, thanks for the reply and help. Have been in a pickle with this for an age. Could you confirm that the query at the bottom should go in the sites-available/default file in the auth section? Huntgroups work with radcheck but understand I need a separate attr now (at last)! On Jul 26, 2012, at 10:07 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote: On 07/26/2012 09:51 AM, Jenny Blunt wrote:
I'm looking for some help with the implementation of huntgroups.
Am using mysql and have followed the following topic through:
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html
In sites-available/default I have this, (just after preprocess:
update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }
Don't do this. Read the 2nd email in the thread you linked to. Huntgroup-Name is a special attribute; comparisons are executed dynamically. You can't just use it like an ordinary string attribute. Define another attribute in raddb/dictionary: ATTRIBUTE SQL-Location 3010 string ...and use that.
authorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id"
(Which doesn't make logical sense to me)
It doesn't make sense to me either. So why do it?
What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from?
For example, a user from IP 1.x.x.x should be allowed access at location 1 only.
I don't know what this means. Write down the policy you want in plain english. Figure out what sources of data you need to execute that policy. Read those sources of data into attributes. Write a policy to check them. For example: authorize { update request { SQL-Location = "%{sql:select location from ...}" } if (NAS-IP-Address =~ /^1\./) { if (SQL-Location != "Location 1") { reject } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I go about comparing two attributes from an update request? I have the following in my default conf. file: update request { SQL-Location := "%{sql: SELECT xxx}" } update request { SQL-Location-Id := "%{sql: SELECT yyy }" } if (SQL-Location != SQL-Location-Id ) { reject } And my debug log shows: Info: Failed parsing "SQL-Location-Id": Unknown value SQL-Location-Id for attribute SQL-Location
On 26/07/12 12:41, Jenny Blunt wrote:
How do I go about comparing two attributes from an update request?
I have the following in my default conf. file:
update request { SQL-Location := "%{sql: SELECT xxx}" } update request { SQL-Location-Id := "%{sql: SELECT yyy }" }
if (SQL-Location != SQL-Location-Id ) { reject }
if (SQL-Location == "%{SQL-Location-Id}") { } Bare words on the right hand side of operators are either interpreted as dictionary values or string constants, not other variables.
Mucho gracias On Jul 26, 2012, at 01:01 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote: On 26/07/12 12:41, Jenny Blunt wrote:
How do I go about comparing two attributes from an update request?
I have the following in my default conf. file:
update request { SQL-Location := "%{sql: SELECT xxx}" } update request { SQL-Location-Id := "%{sql: SELECT yyy }" }
if (SQL-Location != SQL-Location-Id ) { reject }
if (SQL-Location == "%{SQL-Location-Id}") { } Bare words on the right hand side of operators are either interpreted as dictionary values or string constants, not other variables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On a similar note, If I wanted to use the first result in the second update request, how can I go about that? I've tried the following, but I get a blank value for SQL-Location-Id update request { SQL-Location := "%{sql: SELECT xxx}" } update request { SQL-Location-Id := "%{sql: SELECT * where XXX = '%{SQL-Location-Id}' }" } Is this possible? On 26 Jul 2012, at 12:41, Jenny Blunt wrote:
How do I go about comparing two attributes from an update request?
I have the following in my default conf. file:
update request { SQL-Location := "%{sql: SELECT xxx}" }
update request { SQL-Location-Id := "%{sql: SELECT yyy }" }
if (SQL-Location != SQL-Location-Id ) { reject }
And my debug log shows:
Info: Failed parsing "SQL-Location-Id": Unknown value SQL-Location-Id for attribute SQL-Location
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jenny Blunt wrote:
On a similar note, If I wanted to use the first result in the second update request, how can I go about that?
I've tried the following, but I get a blank value for SQL-Location-Id
update request { SQL-Location := "%{sql: SELECT xxx}" }
update request { SQL-Location-Id := "%{sql: SELECT * where XXX = '%{SQL-Location-Id}' }" }
Is this possible?
Of course. It works. There's no magic. Read the debug log to see what's going on. And post the REAL configuration lines you're using. Re-typing them means typos && mistakes, which makes it impossible to help you. i.e. your second line updates SQL-Location-Id by referencing SQL-Location-Id. That looks wrong. Alan DeKok.
Thanks, my mistake - copied from wrong place. On 27 Jul 2012, at 14:27, Alan DeKok wrote:
Jenny Blunt wrote:
On a similar note, If I wanted to use the first result in the second update request, how can I go about that?
I've tried the following, but I get a blank value for SQL-Location-Id
update request { SQL-Location := "%{sql: SELECT xxx}" }
update request { SQL-Location-Id := "%{sql: SELECT * where XXX = '%{SQL-Location-Id}' }" }
Is this possible?
Of course. It works. There's no magic.
Read the debug log to see what's going on. And post the REAL configuration lines you're using. Re-typing them means typos && mistakes, which makes it impossible to help you.
i.e. your second line updates SQL-Location-Id by referencing SQL-Location-Id. That looks wrong.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 27/07/12 14:12, Jenny Blunt wrote:
On a similar note, If I wanted to use the first result in the second update request, how can I go about that?
I've tried the following, but I get a blank value for SQL-Location-Id
Yes, because it's not set.
update request { SQL-Location := "%{sql: SELECT xxx}" }
update request { SQL-Location-Id := "%{sql: SELECT * where XXX = '%{SQL-Location-Id}' }" }
Read that carefully again; is this really what you mean? Don't you want "SQL-Location" in there, not "SQL-Location-Id"?
participants (3)
-
Alan DeKok -
Jenny Blunt -
Phil Mayers