How to allow nas'es to serve only groups of clients?
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how. -- ISP CrIS, Softwarium
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how.
That depends on where do you keep your user details. If it's in sql you can have SQL-Groups, in Ldap you put them in Ldap-Groups etc. Ivan Kalik Kalik Informatika ISP
On Wed, 11 Mar 2009 23:51:50 +0200, <tnt@kalik.net> wrote:
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how.
That depends on where do you keep your user details. If it's in sql you can have SQL-Groups, in Ldap you put them in Ldap-Groups etc.
I use rlm_sql to store user attributes, but i thought sql groups it's internal feature of rlm_sql and not related to radius server at all.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ISP CrIS, Softwarium
I use rlm_sql to store user attributes, but i thought sql groups it's internal feature of rlm_sql and not related to radius server at all.
It is internal, but SQL-Group can be used in other modules too. If you check SQL-Group in, lets say, users file, rlm_sql will be called and value of SQL-Group will be compared to values in radusergroup for that User-Name. If there is a match ... Ivan Kalik Kalik Informatika ISP
Thank you for help. I try to do as you say and put this to authorize section after preprocess: preprocess # allow hotspot users only if (SQL-Group != 'Spot') { reject } Here debug on this action: ++? if (SQL-Group != 'Spot') sql_groupcmp expand: %{User-Name} -> spot2 sql_set_user escaped user --> 'spot2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'spot2' ORDER BY priority sql_groupcmp finished: User is a member of group Spot rlm_sql (sql): Released sql socket id: 4 ? Evaluating (SQL-Group != 'Spot') -> TRUE ++? if (SQL-Group != 'Spot') -> TRUE ++- entering if (SQL-Group != 'Spot') {...} +++[reject] returns reject ++- if (SQL-Group != 'Spot') returns reject strange behaviour, user 'spot2' belongs to group 'Spot', but if clause return TRUE and reject returned. Other strange thing is user 'test2' which do not a member of 'Spot' group, but if clause do not work for them: ++? if (SQL-Group != 'Spot') sql_groupcmp expand: %{User-Name} -> test2 sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 sql_groupcmp finished: User is NOT a member of group Spot <------ and not reject here ++[chap] returns noop ++[mschap] returns noop Here spot2 and test2 groups: mysql> select * from radusergroup where username='spot2' or username='test2'; +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | spot2 | Spot | 1 | | test2 | VPN | 1 | +----------+-----------+----------+ 2 rows in set (0.01 sec) On Thu, 12 Mar 2009 12:12:15 +0200, <tnt@kalik.net> wrote:
I use rlm_sql to store user attributes, but i thought sql groups it's internal feature of rlm_sql and not related to radius server at all.
It is internal, but SQL-Group can be used in other modules too. If you check SQL-Group in, lets say, users file, rlm_sql will be called and value of SQL-Group will be compared to values in radusergroup for that User-Name. If there is a match ...
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ISP CrIS, Softwarium
Thank you for help. I try to do as you say and put this to authorize section after preprocess:
preprocess
# allow hotspot users only if (SQL-Group != 'Spot') { reject }
Here debug on this action:
++? if (SQL-Group != 'Spot') sql_groupcmp expand: %{User-Name} -> spot2 sql_set_user escaped user --> 'spot2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'spot2' ORDER BY priority sql_groupcmp finished: User is a member of group Spot rlm_sql (sql): Released sql socket id: 4 ? Evaluating (SQL-Group != 'Spot') -> TRUE ++? if (SQL-Group != 'Spot') -> TRUE ++- entering if (SQL-Group != 'Spot') {...} +++[reject] returns reject ++- if (SQL-Group != 'Spot') returns reject
strange behaviour, user 'spot2' belongs to group 'Spot', but if clause return TRUE and reject returned.
OK, it looks like it doesn't work in unlang. I don't know if it is suposed to, but Alan will know. Put this in users file: DEFAULT SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name == "hotspot") Reply-Message := "Only hotspot users allowed" You will probably need to add NAS-IP-Address or Huntgroup-Name in order to tie it to the originating NAS. Ivan Kalik Kalik Informatika ISP
On Thu, 12 Mar 2009 14:20:58 +0200, <tnt@kalik.net> wrote:
Thank you for help. I try to do as you say and put this to authorize section after preprocess:
preprocess
# allow hotspot users only if (SQL-Group != 'Spot') { reject }
Here debug on this action:
++? if (SQL-Group != 'Spot') sql_groupcmp expand: %{User-Name} -> spot2 sql_set_user escaped user --> 'spot2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'spot2' ORDER BY priority sql_groupcmp finished: User is a member of group Spot rlm_sql (sql): Released sql socket id: 4 ? Evaluating (SQL-Group != 'Spot') -> TRUE ++? if (SQL-Group != 'Spot') -> TRUE ++- entering if (SQL-Group != 'Spot') {...} +++[reject] returns reject ++- if (SQL-Group != 'Spot') returns reject
strange behaviour, user 'spot2' belongs to group 'Spot', but if clause return TRUE and reject returned.
OK, it looks like it doesn't work in unlang. I don't know if it is suposed to, but Alan will know. Put this in users file:
DEFAULT SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name == "hotspot") Reply-Message := "Only hotspot users allowed"
You will probably need to add NAS-IP-Address or Huntgroup-Name in order to tie it to the originating NAS.
Ivan Kalik Kalik Informatika ISP
This is works with hungroups, thanks! Here example for future readers: raddb/users: DEFAULT SQL-Group != "Spot", Auth-Type := Reject, Huntgroup-Name == "Spot" Reply-Message := "ERROR 104: Only hotspot users allowed to login." raddb/huntgroups: Spot NAS-IP-Address == 212.110.144.142 Spot NAS-IP-Address == 212.110.136.226
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ISP CrIS, Softwarium
Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize section after preprocess:
preprocess
# allow hotspot users only if (SQL-Group != 'Spot') {
That won't work... the SQL-Group attribute is a "callback" attribute. i.e. Using it results in a call to the SQL module, which then does the comparison itself. And... it ignores the operator '!='. The operator is always '=='. This is because the SQL-Group functionality goes way back to version 0.2, and isn't integrated with the newer "unlang" feature. You could send a patch to integrate it with unlang, or do: if (! (SQL-Group == 'Spot')) { reject } That should work. It lets the SQL-Group code use '==', and then uses the newer expression parser to do the "NOT in the group" checking. Alan DeKok.
On Thu, 12 Mar 2009 14:30:07 +0200, Alan DeKok <aland@deployingradius.com> wrote:
Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize section after preprocess:
preprocess
# allow hotspot users only if (SQL-Group != 'Spot') {
That won't work... the SQL-Group attribute is a "callback" attribute. i.e. Using it results in a call to the SQL module, which then does the comparison itself.
And... it ignores the operator '!='. The operator is always '=='. This is because the SQL-Group functionality goes way back to version 0.2, and isn't integrated with the newer "unlang" feature.
You could send a patch to integrate it with unlang, or do:
if (! (SQL-Group == 'Spot')) { reject }
That should work. It lets the SQL-Group code use '==', and then uses the newer expression parser to do the "NOT in the group" checking.
No luck, Alan. Here the code: # allow hotspot users only if (!(SQL-Group == 'Spot')) { reject } And debug output: ++? if (!(SQL-Group == 'Spot')) sql_groupcmp expand: %{User-Name} -> spot2 sql_set_user escaped user --> 'spot2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'spot2' ORDER BY priority sql_groupcmp finished: User is a member of group Spot rlm_sql (sql): Released sql socket id: 4 ?? Evaluating (SQL-Group == 'Spot') -> TRUE ? Converting !TRUE -> FALSE ++? if (!(SQL-Group == 'Spot')) -> FALSE Seems it works for 'spot2' account, but: ++? if (!(SQL-Group == 'Spot')) sql_groupcmp expand: %{User-Name} -> test2 sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 sql_groupcmp finished: User is NOT a member of group Spot ++[chap] returns noop ++[mschap] returns noop not work for test2 account. -- ISP CrIS, Softwarium
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alexander Solodukhin -
Alexander Yu. Solodukhin -
tnt@kalik.net