Multiple Attribute checks with sql module
Alexander Koeppe
format_c at online.de
Tue Aug 12 23:48:16 CEST 2008
Hello List,
I want to set up freeradius as a proxy for cisco management and dot1x.
The attribute to check is NAS-Port-Type. If it's "Ethernet" it's a dot1x
request
and has to be proxied by one realm configured in proxy.conf. Else it has
to be
proxied to another realm also configured in proxy.conf for
one-time-password
authentication.
Further if a specific NAS requests, the request should be accepted
by the proxy itself.
I got this already working with the users file looking like
DEFAULT NAS-Port-Type==Ethernet,NAS-IP-Address==1.1.1.1,Auth-Type:=Accept
DEFAULT NAS-Port-Type==Ethernet,Proxy-To-Realm:=Realm1
DEFAULT NAS-IP-Address==1.1.1.1,Auth-Type:=Accept
DEFAULT Proxy-To-Realm:=Realm2
But I doesn't get this working using the sql module.
My database structure looks like
mysql> select * from radcheck;
+----+----------+---------------+----+-------+
| id | UserName | Attribute | op | Value |
+----+----------+---------------+----+-------+
| 2 | testuser | Password | == | test |
| 4 | DEFAULT | NAS-Port-Type | =* | |
+----+----------+---------------+----+-------+
2 rows in set (0.00 sec)
mysql> select * from usergroup;
+----+----------+------------+
| id | UserName | GroupName |
+----+----------+------------+
| 2 | DEFAULT | ProxyMgt |
| 3 | DEFAULT | ProxyDOT1x |
+----+----------+------------+
1 row in set (0.00 sec)
mysql> select * from radgroupcheck;
+----+------------+----------------+----+----------+
| id | GroupName | Attribute | op | Value |
+----+------------+----------------+----+----------+
| 4 | ProxyMgt | NAS-Port-Type | == | Virtual |
| 5 | ProxyMgt | Proxy-To-Realm | := | Mgt |
| 6 | ProxyDOT1x | NAS-Port-Type | == | Ethernet |
| 7 | ProxyDOT1x | Proxy-To-Realm | := | PortSec |
+----+------------+----------------+----+----------+
4 rows in set (0.00 sec)
mysql> select * from radgroupreply;
Empty set (0.00 sec)
With this sql configuration, the server proxy management requests but
not dot1x requests.
In debug it says "No matching entry in the database for request from user".
Despite the acceptance of specific NAS requests.
The reason I want to realize this configuration with the sql module is,
that changes are possible without HUP the process.
I've read the documentation which is available for the sql module but
the examples
described there are not that complex to help with my problem.
Can anyone help me to realize the above mentioned configuration of the
users file with
the sql module?
Thanks in advance
Cheers Alex
More information about the Freeradius-Users
mailing list