From users file to SQL

David Majorel dm at lagoon.nc
Thu Jun 7 06:58:30 CEST 2007 

It doesn't work. When the user is member of SUSPENDED and has a static IP 
address, rlm_sqlippool doesn't override the Framed-IP-Address.
This is the behavior I expect for all other cases/groups.

I had another problem with this configuration. A user can be member of 
multiple groups. If he is member of SUSPENDED, I want it to be the only one 
group evaluated. This can be achieved with "Fall-Though" in users file, but 
it don't know how to do it with SQL.

Finally, I tried to use SQL-Group in users file (see below). I can pull user 
attributes from database after processing group attributes in users file. 
Nevertheless, I still have a problem with group SUSPENDED. I need to end all 
the authorize processing instead of going on next module. Is it possible ?

------ users ------
DEFAULT Pool-Name := "default"
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-IP-Netmask = 255.255.255.254,
  Framed-MTU = 1492,
  Framed-Compression = Van-Jacobson-TCP-IP,
  Qos-Policy-Metering = DL128,
  Qos-Policy-Policing = UL64,
  Fall-Through = Yes

# Group processing

DEFAULT SQL-Group == "SUSPENDED", Auth-Type := Accept, \ 
Pool-Name := "disabled"

# If user if disabled, I want to end authorize process now

DEFAULT SQL-Group == "DSL500", Pool-Name := "dsl500"
  Qos-Policy-Metering := DL512,
  Qos-Policy-Policing := UL128,
  Fall-Through = Yes

# go on with sql and user specific attributes
-----

---- radiusd.conf ----
[...]
authorize {
  files
  chap
  sql
}
[...]
-----

> WARNING: Are you sure that you don't want to reject connections from
> suspended/non-existatnt users? All they have to do is set a static IP
> address from your pool on their end (it's ever so simple to force a
> static IP address in Connection Properties) and gain access.

I am not able to gain access by adding an IP address in connection properties. 
Connection is rejected by the BAS when an IP (in the pool or not) is 
requested. 

> It will work fine if you set the pool to override the IP address already
> set.
>
> 1. Leave the # Default profile for everyone in the users file
>
> 2. Make groups SUSPENDED, DSL500 etc. in groupcheck table. You need 2
> entries for group SUSPENDED, and one for others:
>
> (GroupName, Attribute, op, Value)
> SUSPENDED, Auth-Type, :=, Accept
> SUSPENDED, Pool-Name, :=, disabled
>
> DSL500, Pool-Name, :=, dsl500
>
> 3. Make groupreply entries:
>
> (GroupName, Attribute, op, Value)
> DSL500, Qos-Policy-Metering, :=, DL512
> DSL500, Qos-Policy-Policing, :=, UL128
>
> 4. Create user entries in radcheck table:
>
> (UserName, Attribute, op, Value) 
> testuser, Cleartext-Password, :=, test
>
> 5. Set static IP addresses and routes in radreply table:
>
> (UserName, Attribute, op, Value)
> testuser, Framed-IP-Address, :=, ...
> etc.
>
> 6. Connect users to groups in usergroup table
>
> If the user is suspended IP address from the "disabled" IP pool will
> override the static IP address from the radreply table. Without the
> correct IP address route won't work.

Thanks
-- 
David Majorel
Offratel/Lagoon ISP

More information about the Freeradius-Users mailing list