multi ssid use multi radcheck
hi, I think I must thanks for FR project @Alan DeKok and @others.it is a great and prefect job. I hava two ssid,SSID-TMP for temporary user and the SSID-EMP for employee-user,they both use the realm_sql for auth. the data in radcheck as follows: current,in raddb/sq/mysql/dialup.conf, authorize_check_query = "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id" so when a temporary user tmp_user connect SSID-EMP(for employee),he also get the correct password for connecting the SSID-EMP.that should be disabled. the problem is:how can I map the user to the correct record? I have extented radcheck tables with field user_ssid,so the records like: and change the authorize_check_query statement to: "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id" but I donot get the correct sql statement: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id another approach: I define another virtual server,but they use the same sql realm,and use the same sql_query statement, How can I achieve the resule what I want? I am confused about this,thanks for any suggestion or advise, apologize for my english, gh.li tel:+8613910260406 email:gh.li@microshield.com.cn
On 23/03/2017 05:34, gh.li@microshield.com.cn wrote:
I have extented radcheck tables with field user_ssid,so the records like:
and change the authorize_check_query statement to: "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
but I donot get the correct sql statement: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id Are you sure the incoming request contains an "Aruba_Essid_Name" attribute? According to the dictionary I have here, it should have dashes and not underscores:
share/dictionary.aruba:ATTRIBUTE Aruba-Essid-Name 5 string However, there's a better way to do what you're doing: separate authentication (who you are) from authorization (what you are allowed to do). In the sql tables, you can do this using groups. (1) Make each of your employee accounts members of an 'employee' group (insert into the usergroup_table which is by default called "radusergroup") (2) Add your authorization rules into unlang, in a policy entry called from your authorize{} or post-auth{} section wireless_authz { if (&Aruba-Essid-Name == "SSID-EMP" && not (&SQL-Group[*] == 'employee')) { reject } } (It might be possible to hack something together using the radgroupcheck table, but the unlang approach is simple and explicit) HTH, Brian.
On Mar 23, 2017, at 1:34 AM, gh.li@microshield.com.cn wrote:
the problem is:how can I map the user to the correct record?
a) include the SSID in the table and in the queries, b) have two different SQL tables.
I have extented radcheck tables with field user_ssid,so the records like:
and change the authorize_check_query statement to: "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
but I donot get the correct sql statement: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id
As always, read the debug log to see why. Does the packet include the Aruba_Essid_Name attribute? Alan DeKok.
participants (3)
-
Alan DeKok -
Brian Candler -
gh.li@microshield.com.cn