Authenticate/Attributes based on NAS-IP-Address - SOLVED
N White
nwtech at tele-net.net
Thu Jun 9 19:39:57 CEST 2005
Ok, so here's what I did to solve this problem. I'm posting this just
for anyone out there searching the Archives that needs something like my
situation. I did a lot of reading, and a lot of re-reading, and finally
the lightbulb over my head clicked on! I read Mike's previous post
several times over and over, and finally understand it:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.html
My goal as stated before:
Basically if a user logs in through NAS1, they are assigned X attributes
with *dynamic* IP, if they log in through NAS2, they are assigned Y
attributes with a *static* IP. And all this needs to be done in MySQL,
that way my own PHP frontend(which I intend to release GPL) can work
with it. Also I think MySQL scales better.
1) Create a new field (column) in the radreply, radgroupcheck, and
radgroupreply tables. You could name this column anything you want, but
following Mikes earlier post, mine is set up at "HuntGroup". The name is
insignificant, it is merely a reference, but you should make sure that
it stays the same throughout this.
2) Modify sql.conf and change the following:
authorize_group_check_query
authorize_group_reply_query
authorize_reply_query
Make them the following:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName AND
(${groupcheck_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${groupcheck_table}.HuntGroup IS NULL) ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
(${groupreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${groupreply_table}.HuntGroup IS NULL) ORDER BY ${groupreply_table}.id"
authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' AND
(${authreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${authreply_table}.HuntGroup = '' OR ${authreply_table}.HuntGroup IS
NULL) ORDER BY id"
Note that where it says ".HuntGroup" this is where you would change the
name depending on what you call your field in #1. Also, where it says
"%{request:Client-IP-Address}" this is going to be the attribute you are
checking against. Originally I had it set to "NAS-IP-Address" as I was
checking the NAS to determine what to reply with.Graeme pointed out that
Client-IP is more secure, as NAS-IP can be spoofed.
3) Now insert into the various tables for testing. I assume here that
you already have groups set up. I have two groups, Wireless and Dial-Up.
In radgroupcheck:
id GroupName Attribute op Value
HuntGroup
132 Wireless Auth-Type == Local
68.190.182.200
134 Dial-Up Auth-Type == Local
63.151.182.3
135 Dial-Up Auth-Type == Reject
68.190.182.200
We need the reject under Dial-Up so that it doesn't reply with Dial-Up
attributes coming from that NAS(IP). Someone correct me if that is
wrong, perhaps that isn't needed?
In radgroupreply:
133 Wireless Service-Type := Framed-User
0 68.190.182.200
132 Wireless Framed-Compression := Stac-LZS
0 68.190.182.200
131 Wireless Framed-MTU := 1480
0 68.190.182.200
130 Wireless Framed-IP-Netmask := 255.255.255.255
0 68.190.182.200
129 Wireless Framed-IP-Address := 255.255.255.254
0 68.190.182.200
128 Wireless Framed-Protocol := PPP
0 68.190.182.200
134 Wireless Session-Timeout := 14400
0 68.190.182.200
135 Wireless Idle-Timeout := 600
0 68.190.182.200
136 Wireless Port-Limit := 2
0 68.190.182.200
In radreply:
171 testaccount Framed-IP-Address := 192.168.3.5
68.190.182.200
4) I put the user "testaccount" into both the Dial-Up and Wireless
groups. Now, if I run a test (I use NTRadPing) from anything other than
68.190.182.200, it replies with the attributes for Dial-Up. If I run a
test from 68.190.182.200, it replies with the attributes for Wireless,
including the Static IP. Now, if I insert "testaccount2" into
radreply(assuming the user is a part of Dial-Up already), with a Static
IP, but nothing in "HuntGroup" and test from anything it returns the
attributes only in radreply - Static IP.
You could expand upon this, as it may not be complete. Feel free to
correct me or make other points.
-Nick
Graeme Hinchliffe wrote:
>Hiya,
> Use Client-IP rather than NAS-IP as NAS-IP can be spoofed.
>
>Graeme
>
>On Wed, 2005-06-08 at 15:30 -0700, N White wrote:
>
>
>>Graeme Hinchliffe wrote:
>>
>>
>>
>>>Hiya
>>> perhaps you could do it using huntgroups.
>>>
>>> Put the static attributes for the user in the radreply table, then
>>>assign each nas to a huntgroup, so say
>>>
>>>NAS-dynamic
>>>
>>> Then in radgroupreply you put the attributes for for dynamic IP
>>>assignment on the NAS-dynamic, and ensure there is an attribute to
>>>override the static settings.
>>>
>>>not 100% about the overriding of the static IP settings, but would think
>>>it possible using the assignment ( := ) operator and possibly a null
>>>value?
>>>
>>>Hope thats of some help.
>>>
>>>
>>>
>>>
>>Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in
>>huntgroups file:
>>
>>Wireless NAS-IP-Address = (the IP of the Wireless NAS)
>> Autz-Type = SQL1 (modify radiusd.conf to include
>>this, and sql.conf like in Mike's post?)
>>NAS-dynamic NAS-IP-Address = (ip of dialup NAS)
>> NAS-IP-Address = (ip of isdn NAS)
>>
>>in radgroupreply:
>>
>>+-------------+--------------------+----+---------------------+-----------+
>>| GroupName | Attribute | op | Value | HuntGroup |
>>+-------------+--------------------+----+---------------------+-----------+
>>| Wireless | Service-Type | = | Framed-User | Wireless |
>>| Wireless | Framed-Protocol | = | PPP | Wireless |
>>| Wireless | Framed-IP-Address | = | 255.255.255.254 | Wireless |
>>| Wireless | Framed-IP-Netmask | = | 255.255.255.255 | Wireless |
>>| Wireless | Framed-Compression | = | Van-Jacobson-TCP-IP | Wireless |
>>+-------------+--------------------+----+---------------------+-----------+
>>All Other users would go into the Dial-Up Group, which would have a HuntGroup of NAS-dynamic?
>>
>>in radreply:
>>
>>+-----------+-------------------+-----+---------------+
>>| UserName | Attribute | op | Value |
>>+-----------+-------------------+-----+---------------+
>>| test123 | Framed-IP-Address | := | 192.168.2.10 |
>>+-----------+-------------------+-----+---------------+
>>
>>Now in radgroupcheck do I need a NAS-IP-Address check for each group(or
>>the wireless group?)?
>>Thanks for everyone's help.
>>
>>-Nick
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>------------------------------------------------------------------------
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>__________ NOD32 1.1135 (20050609) Information __________
>>
>>This message was checked by NOD32 antivirus system.
>>http://www.eset.com
>>
>>
>>
--
------------------------
| Nick White |
| Network Consultant |
| http://www.edge9.net |
| nwtech at tele-net.net |
------------------------
More information about the Freeradius-Users
mailing list