Struggling - radgroupcheck/radgroupreply

Phil Mayers p.mayers at imperial.ac.uk
Tue Oct 23 11:37:56 CEST 2007 

On Mon, 2007-10-22 at 19:30 -0400, Bryan Martin wrote:
> I need to have my NetworkGroup get passed one set of attributes and my 
> ServerGroup get passed another.  But I have some EnterpriseAdmins who need 
> access to both sets so i need to pass the correct attribute back depending 
> on which device they try to auth from.

This is getting to be an FAQ.

http://marc.info/?l=freeradius-users&m=119010719300080&w=2

> 
> User Joe is a EnterpriseAdmin.  He is a member of the NetworkGroup and the 
> ServerGroup so I need him to have the correct attributes passed to him 
> depending on which NAS-IP-Address he comes from respectivly.  For instance, 
> if joe trys to log in through 192.168.0.50 I need to pass back "Class = 
> OU=ServerGroup".  If joe trys to log in through 192.168.0.1 I need to pass 
> him "Class = OU=NetworkGroup".  The way it stands no matter which 
> NAS-IP-Address he comes from because he is a member of both groups he gets 
> both attributes sent back from radgroupreply.
> 
> User Sally is a member of the NetworkGroup so I only want radgroupreply to 
> send just the attributes for the NetworkGroup.
> 
> User Bob is a ServerGroup so I only want bob to get the attributes from the 
> ServerGroup.
> 
> mysql> select * from radcheck;
> +----+----------+----------------------+----+---------------------------------------+
> | id | UserName | Attribute            | op | Value 
> |
> +----+----------+----------------------+----+---------------------------------------+
> |  8 | joe      | Password-With-Header | := | 
> {md5}928a40033e748ad825e92ec4f9870696 |
> |  9 | sally    | Password-With-Header | := | 
> {md5}928a40033e748ad825e92ec4f9870696 |
> | 10 | bob      | Password-With-Header | := | 
> {md5}928a40033e748ad825e92ec4f9870696 |
> +----+----------+----------------------+----+---------------------------------------+
> 
> mysql> select * from usergroup;
> +----------+--------------+----------+
> | UserName | GroupName    | priority |
> +----------+--------------+----------+
> | joe      | NetworkGroup |        1 |
> | joe      | ServerGroup  |        2 |
> | sally    | NetworkGroup |        1 |
> | bob      | ServerGroup  |        1 |
> +----------+--------------+----------+
> 
> mysql> select * from radgroupcheck;
> +----+--------------+----------------+----+--------------+
> | id | GroupName    | Attribute      | op | Value        |
> +----+--------------+----------------+----+--------------+
> |  9 | ServerGroup  | NAS-IP-Address | =  | 192.168.0.50 |
> | 10 | ServerGroup  | Auth-Type      | =  | MD5          |
> | 11 | NetworkGroup | NAS-IP-Address | =  | 192.168.0.1  |
> | 12 | NetworkGroup | Auth-Type      | =  | MD5          |
> +----+--------------+----------------+----+--------------+
> 
> mysql> select * from radgroupreply;
> +----+--------------+-----------+----+-----------------+
> | id | GroupName    | Attribute | op | Value           |
> +----+--------------+-----------+----+-----------------+
> | 17 | NetworkGroup | Class     | := | OU=NetworkGroup |
> | 18 | ServerGroup  | Class     | := | OU=serverGroup  |
> +----+--------------+-----------+----+-----------------+
> 
> 
> Steps to reproduce if needed.
> insert into usergroup (UserName, GroupName, priority) VALUES ('joe', 
> 'NetworkGroup', 1);
> insert into usergroup (UserName, GroupName, priority) VALUES ('joe', 
> 'ServerGroup', 2);
> insert into usergroup (UserName, GroupName, priority) VALUES ('sally', 
> 'NetworkGroup', 1);
> insert into usergroup (UserName, GroupName, priority) VALUES ('bob', 
> 'ServerGroup', 1);
> 
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES 
> ('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES 
> ('ServerGroup', 'Auth-Type', '=', 'MD5');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES 
> ('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES 
> ('NetworkGroup', 'Auth-Type', '=', 'MD5');
> 
> insert into radgroupreply (GroupName, Attribute, op, Value) VALUES 
> ('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup');
> insert into radgroupreply (GroupName, Attribute, op, Value) VALUES 
> ('ServerGroup', 'Class', ':=', 'OU=serverGroup');
> 
> Thanks for your time.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list