Authenticate/Attributes based on NAS-IP-Address - SOLVED

N White nwtech at tele-net.net
Thu Jun 9 19:39:57 CEST 2005


Ok, so here's what I did to solve this problem. I'm posting this just 
for anyone out there searching the Archives that needs something like my 
situation. I did a lot of reading, and a lot of re-reading, and finally 
the lightbulb over my head clicked on! I read Mike's previous post 
several times over and over, and finally understand it:

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.html

My goal as stated before: 
Basically if a user logs in through NAS1, they are assigned X attributes
with *dynamic* IP, if they log in through NAS2, they are assigned Y
attributes with a *static* IP. And all this needs to be done in MySQL,
that way my own PHP frontend(which I intend to release GPL) can work
with it. Also I think MySQL scales better.

1) Create a new field (column) in the radreply, radgroupcheck, and 
radgroupreply tables. You could name this column anything you want, but 
following Mikes earlier post, mine is set up at "HuntGroup". The name is 
insignificant, it is merely a reference, but you should make sure that 
it stays the same throughout this.

2) Modify sql.conf and change the following:
authorize_group_check_query
authorize_group_reply_query
authorize_reply_query
Make them the following:
authorize_group_check_query = "SELECT 
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op  
FROM ${groupcheck_table},${usergroup_table} WHERE 
${usergroup_table}.Username = '%{SQL-User-Name}' AND 
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND 
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName AND 
(${groupcheck_table}.HuntGroup = '%{request:Client-IP-Address}' OR 
${groupcheck_table}.HuntGroup IS NULL) ORDER BY ${groupcheck_table}.id"

authorize_group_reply_query = "SELECT 
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op  
FROM ${groupreply_table},${usergroup_table} WHERE 
${usergroup_table}.Username = '%{SQL-User-Name}' AND 
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND 
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND 
(${groupreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR 
${groupreply_table}.HuntGroup IS NULL) ORDER BY ${groupreply_table}.id"

authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM 
${authreply_table} WHERE Username = '%{SQL-User-Name}' AND 
(${authreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR 
${authreply_table}.HuntGroup = '' OR ${authreply_table}.HuntGroup IS 
NULL) ORDER BY id"

Note that where it says ".HuntGroup" this is where you would change the 
name depending on what you call your field in #1. Also, where it says 
"%{request:Client-IP-Address}" this is going to be the attribute you are 
checking against. Originally I had it set to "NAS-IP-Address" as I was 
checking the NAS to determine what to reply with.Graeme pointed out that 
Client-IP is more secure, as NAS-IP can be spoofed.

3) Now insert into the various tables for testing. I assume here that 
you already have groups set up. I have two groups, Wireless and Dial-Up. 
In radgroupcheck:
id         GroupName      Attribute         op         Value          
HuntGroup
132      Wireless          Auth-Type      ==         Local           
68.190.182.200
134     Dial-Up            Auth-Type      ==         Local           
63.151.182.3
135     Dial-Up            Auth-Type      ==         Reject          
68.190.182.200

We need the reject under Dial-Up so that it doesn't reply with Dial-Up 
attributes coming from that NAS(IP). Someone correct me if that is 
wrong, perhaps that isn't needed?
In radgroupreply:
133      Wireless    Service-Type                  :=      Framed-User  
         0     68.190.182.200
132     Wireless     Framed-Compression     :=     Stac-LZS              
    0     68.190.182.200
131     Wireless     Framed-MTU                 :=     1480           
             0     68.190.182.200
130     Wireless     Framed-IP-Netmask       :=     255.255.255.255     
0     68.190.182.200
129     Wireless     Framed-IP-Address        :=     255.255.255.254     
0     68.190.182.200
128     Wireless     Framed-Protocol             :=     PPP           
              0     68.190.182.200
134     Wireless     Session-Timeout              :=     14400           
           0     68.190.182.200
135     Wireless     Idle-Timeout                    :=     600         
                 0     68.190.182.200
136     Wireless     Port-Limit                        :=     2       
                       0     68.190.182.200

In radreply:
171      testaccount      Framed-IP-Address      :=      192.168.3.5  
    68.190.182.200

4) I put the user "testaccount" into both the Dial-Up and Wireless 
groups. Now, if I run a test (I use NTRadPing) from anything other than 
68.190.182.200, it replies with the attributes for Dial-Up. If I run a 
test from 68.190.182.200, it replies with the attributes for Wireless, 
including the Static IP. Now, if I insert "testaccount2" into 
radreply(assuming the user is a part of Dial-Up already), with a Static 
IP, but nothing in "HuntGroup" and test from anything it returns the 
attributes only in radreply - Static IP.
You could expand upon this, as it may not be complete. Feel free to 
correct me or make other points.

-Nick


Graeme Hinchliffe wrote:

>Hiya,
>	Use Client-IP rather than NAS-IP as NAS-IP can be spoofed.
>
>Graeme
>
>On Wed, 2005-06-08 at 15:30 -0700, N White wrote:
>  
>
>>Graeme Hinchliffe wrote:
>>
>>    
>>
>>>Hiya
>>>	perhaps you could do it using huntgroups.
>>>
>>>	Put the static attributes for the user in the radreply table, then
>>>assign each nas to a huntgroup, so say
>>>
>>>NAS-dynamic
>>>
>>>	Then in radgroupreply you put the attributes for for dynamic IP
>>>assignment on the NAS-dynamic, and ensure there is an attribute to
>>>override the static settings.
>>>
>>>not 100% about the overriding of the static IP settings, but would think
>>>it possible using the assignment ( := ) operator and possibly a null
>>>value?
>>>
>>>Hope thats of some help.
>>> 
>>>
>>>      
>>>
>>Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in 
>>huntgroups file:
>>
>>Wireless         NAS-IP-Address = (the IP of the Wireless NAS)
>>                      Autz-Type = SQL1 (modify radiusd.conf to include 
>>this, and sql.conf like in Mike's post?)
>>NAS-dynamic      NAS-IP-Address = (ip of dialup NAS)
>>                            NAS-IP-Address = (ip of isdn NAS)
>>
>>in radgroupreply:
>>
>>+-------------+--------------------+----+---------------------+-----------+
>>|   GroupName | Attribute          | op | Value               | HuntGroup |
>>+-------------+--------------------+----+---------------------+-----------+
>>| Wireless   | Service-Type       | =  | Framed-User         | Wireless   |
>>| Wireless   | Framed-Protocol    | =  | PPP                 | Wireless   |
>>| Wireless   | Framed-IP-Address  | =  | 255.255.255.254     | Wireless   |
>>| Wireless   | Framed-IP-Netmask  | =  | 255.255.255.255     | Wireless   |
>>| Wireless   | Framed-Compression | =  | Van-Jacobson-TCP-IP | Wireless   |
>>+-------------+--------------------+----+---------------------+-----------+
>>All Other users would go into the Dial-Up Group, which would have a HuntGroup of NAS-dynamic?
>>
>>in radreply:
>>
>>+-----------+-------------------+-----+---------------+
>>| UserName  | Attribute         | op  | Value         |
>>+-----------+-------------------+-----+---------------+
>>| test123   | Framed-IP-Address | :=  | 192.168.2.10  |
>>+-----------+-------------------+-----+---------------+
>>
>>Now in radgroupcheck do I need a NAS-IP-Address check for each group(or 
>>the wireless group?)?
>>Thanks for everyone's help.
>>
>>-Nick
>>
>>- 
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>    
>>
>>------------------------------------------------------------------------
>>
>>- 
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>__________ NOD32 1.1135 (20050609) Information __________
>>
>>This message was checked by NOD32 antivirus system.
>>http://www.eset.com
>>
>>    
>>


-- 
------------------------
| Nick White           |
| Network Consultant   |
| http://www.edge9.net |
| nwtech at tele-net.net  |
------------------------




More information about the Freeradius-Users mailing list