prevent roaming configuration question

isidoros webmaster at fragrant-chios.com
Mon Oct 2 13:30:09 CEST 2006 

James Wakefield wrote:
> isidoros wrote:
>
>> Thanks James for your answer,
>>
>> I'm fairly new to freeradius I know the package only 14 days. (or 
>> radius in general for that matter)
>>
>> The group configuration is a mystery to me. It is unclear for me how 
>> this separates the users. This is how I think
>> 1) G1 with users A,B,C
>> 2) G2 with users X,Y,Z
>> 3) At a request the configuration determines which group the user 
>> belongs to
>> 4) And makes a query for the users A until Z to the same database
>> 5) the auth_query only talks about the user.
>> 6) This is the point where a fail to understand that the group config 
>> helps me. The query is made to the same database on behalf of the any 
>> user.
>>
>> Please spell it out to me where my thinking goes wrong. I would like 
>> the understand this group config thing better (if at all at this 
>> point in time).
>
> Hi Isidoros,
>
> In sql.conf,
>
> authcheck_table = "radcheck"
> authreply_table = "radreply"
>
> groupcheck_table = "radgroupcheck"
> groupreply_table = "radgroupreply"
>
> usergroup_table = "usergroup"
>
>
> groupcheck_table and usergroup_table are referred to here:
>
> authorize_group_check_query = "SELECT 
> ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op 
>  FROM ${groupcheck_table},${usergroup_table} WHERE 
> ${usergroup_table}.Username = '%{SQL-User-Name}' AND 
> ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY 
> ${groupcheck_table}.id"
>
> This retrieves all the check items that apply to the group the user 
> belongs to.  The usergroup table maps users to groups, and 
> radgroupcheck maps groups to check items.  A check item, which will be 
> a new term to you if you're a newbie, is an expression which is 
> evaluated when deciding whether or not to authorize a request, such as 
> User-Password == "mypassword", or Calling-Station-Id != "5554796".
>
> When rlm_sql is invoked to authorize a request, the user's check items 
> in radcheck are evaluated.  When the user is in a group, this might 
> only be to check User-Password.  Then, authorize_group_check_query is 
> used to  retrieve check items for the user's group, which are then 
> evaluated. If all the applicable check items, from both radcheck and 
> radgroupcheck, match, then the reply items - Attribute=Value pairs 
> sent from freeradius to the NAS when it sends the Access-Accept 
> message for an authorized request - are retrieved by querying 
> radreply, for reply items specific to the user, and radgroupreply, for 
> reply items specific to the user's group.
>
> Make any more sense?
>
>>
>> In the meanwhile:
>> I have solved the problem with the below changes:
>>
>> in sql.conf replace this rule with:
>> authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
>> FROM ${authcheck_table} \
>> WHERE Username = '%{SQL-User-Name}' AND \
>> Location = (SELECT Location FROM nas WHERE nasname = 
>> '%{NAS-Identifier}') \
>> ORDER BY id"
>>
>>
>> in mysql
>>
>> fill the nas table with your info:
>> INSERT INTO nas (nasname, nasshortname, type, secret, Location) 
>> VALUES ('yournasname in chillspot', 'anyname' , 'other', 'shared 
>> secret', 'Location-number '.  );
>>
>> It works, but I have no idea if this is "best practice" or I'm 
>> seriously damaging the config.
>
> Best practice is to not change any code if you don't have to.  By 
> using groups, you don't have to change any code.  I wouldn't say 
> you've "seriously damaged" the config, but you may find that it 
> doesn't behave in the future.  I would recommend spending the time 
> getting groups and group checks to work, then reverting any SQL 
> queries you've altered back to their defaults.  It'll be much less 
> painful in the long run.
>
> Cheers,
>

James:

I'm allmost there (now I'm thinking like this)
1) authorize_group_check_query:  to check of the user is in a group
2) authorize_group_check_query:  retrieve the check-items for this group 
(which is my solution)
3) authorize on the check-items. if the expression is like this "whether 
or not to authorize a request, such as User-Password == "mypassword", or 
Calling-Station-Id != "5554796".
will all users in the same group authorize by the same password?

I guess my question is: Is the group check additional to the user check.


regards,

isidoros

More information about the Freeradius-Users mailing list