Hi all, I use Freeradius 1.1.7 (yes, sorry I know it is a little bit old but there is no time to upgrade :( I want that the requests from some servers are checked and authenticated through LDAP-Groups for example Requests from IP x.x.x.x should be authenticate only if the user is in ldap-group employee, tha same for IP y.y.y.y . Then I have some other servers with requests that don't need LDAP authorisation. I used the Huntgroups to define the first two servers als huntgroup "testldap" and the rest as huntgroup "all". That functions great for IP Addresses. The list ist long, but still ok. Only if I want to do that for network of clients this doesn't work. The problem is that I must list all of the servers that should gain access and I have a lot of PC-Pools which use radius to authenticate. In the client.conf they are written with the network addresses, that doesn't work in huntgroups file. I don't want to list all of the PC-Pool members in the Huntgroups because there are too many... Does Huntgroup support only IP-Addresses or I can fill up Network Addresses too? Or there is another workaround? Or maybe this issue is already changed in the new version 2.3.1? users -------- DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam Fall-Through = no DEFAULT Huntgroup-Name==all, Auth-Type := Pam Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." huntgroups ----------------- #Test LDAP testldap NAS-IP-Address == x.x.x.x testldap NAS-IP-Address == y.y.y.y #All Users all NAS-IP-Address == a.a.a.a .... all NAS-IP-Address == z.z.z.z/26 Greets, Meyes
Does Huntgroup support only IP-Addresses or I can fill up Network Addresses too?
It's not what huntgroups support but what does the attribute (NAS-IP-Address) support. And it is an IP address, not network.
Or there is another workaround? Or maybe this issue is already changed in the new version 2.3.1?
In 2.1.3 you can use unlang and not need huntgroups at all. Read man unlang on freeradius site. Ivan Kalik Kalik Informatika ISP
In 2.1.3 you can use unlang and not need huntgroups at all. Read man unlang on freeradius site.
Thank you for answer Ivan. I'm thinking about upgrading of 2.1.3 or 2.1.4 but I'm not really sure how to transform my huntgroups und users configuration in unlang. I read the documentation but I have big problems to understand it. Please I need a little bit help on this Should it be something like that? if (Ldap-Group == employee && NAS-IP-Address >x.x.x.x && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else if (Ldap-Group == student && NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else .... if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else { Auth-Type := Reject } Sorry but I'm not sure 1. whether the NAS-IP-Address ist the right variable to check if a client is in an Subnetwork 2. where should I put this if-condition: kann I put it in users instead of Huntgroups? Or should stay in sites-available/default and what section or in radiusd.conf? 3. I have about more than 100 different Clients, some with IP-Address some with NetworkMask. It is really simple to put that ones with IP-Addresses into the huntgroups file with different groups . But when I implement a condition with unlang for every one of them, wouldn't that be a killer for the performance when every query checks the script? Is that possible that I keep my huntgroups for all clients with IP-Addresses and write a conditions only for network masks? What will be the configuration then? DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam Fall-Through = no DEFAULT if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else { Auth-Type := Reject Reply-Message = "Please call the helpdesk." } Does that make sense? Greets, Meyes
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is that possible that I keep my huntgroups for all clients with IP-Addresses and write a conditions only for network masks?
That would probably be the best. You might benefit from using sql huntgroup implementation (pull IP's from the database): http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
What will be the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam Fall-Through = no
DEFAULT if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else {
Auth-Type := Reject Reply-Message = "Please call the helpdesk." }
Does that make sense?
Not really. Sick to one thing - users file or unlang. I would recommend unlang. What you posted is a mixture of both but the essence is OK. Just use regex for checking subnets. Ivan Kalik Kalik Informatika ISP
What will be the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam Fall-Through = no
DEFAULT if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) { Auth-Type:= Pam} else {
Auth-Type := Reject Reply-Message = "Please call the helpdesk." }
Does that make sense?
Not really. Sick to one thing - users file or unlang. I would recommend unlang. I already though about your advice to concetrate at unlang and to check in
sites-enabled/default --------------------- authorize { ldap if (Ldap-Group == "employee" && NAS-IP-Address == ^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$) {ok} else if (Ldap-Group == "student" && NAS-IP-Address == ^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$) {ok} else if (Huntgroup-Name == "testldap" && Ldap-Group == "student" ) {ok} else ............. else {reject} Is that right? Should Auth-Type:=Pam stay then in users? I read in another post from today "How to allow nas'es to serve only groups of clients?" that somebody tries to do almost the same with unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups. It seems that unlang doesn't works with SQL-Groups so could it be that the same situation ist for LDAP-Groups too? I still have freeradius 1.1.7 and I would like to do urgent upgrade only if I can use unlang to check subnets and Ldap-Groups with it. If this is not possible, I would like to know. Is there maybe another way to check subnets? Can I user regex for example in huntgroups? Then I wouldn't need to use unlang and can stay some more time at my current version of freeradius. Greets Meyes
What you posted is a mixture of both but the essence is OK. Just use regex for checking subnets.
sites-enabled/default --------------------- authorize { ldap
if (Ldap-Group == "employee" && NAS-IP-Address == ^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$) {ok} else
if (Ldap-Group == "student" && NAS-IP-Address == ^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$) {ok} else if (Huntgroup-Name == "testldap" && Ldap-Group == "student" ) {ok} else .............. else {reject}
Is that right?
No. But if you remove else and change if to elsif it will be.
Should Auth-Type:=Pam stay then in users?
Yes. Or you can put it in here instead of ok.
I read in another post from today "How to allow nas'es to serve only groups of clients?" that somebody tries to do almost the same with unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups. It seems that unlang doesn't works with SQL-Groups so could it be that the same situation ist for LDAP-Groups too?
== should work. It seems that != doesn't work in unlang with those attributes. Ivan Kalik Kalik Informatika ISP
participants (2)
-
HRZ Konten -
tnt@kalik.net