NAS-Group? - different replies to different NASes?

Adrian adrian at dsl4u.ca
Thu Feb 28 00:14:50 CET 2008


One more question,

Can I use a combination or the users file and the SQL at the same time?  I'm
thinking of enabling the users file and enter all the DEFAULT entries in
there but still keep the users in SQL and have authentication fall-trhough
the users file to the SQL file.

Will this work?
Adrian

-----Original Message-----
From: freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org
[mailto:freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org] On
Behalf Of Adrian
Sent: Wednesday, February 27, 2008 6:04 PM
To: 'FreeRadius users mailing list'
Subject: RE: NAS-Group? - different replies to different NASes?

Hello Ivan,

I haven't had much luck with setting this up.  We use a mysql DB and in the
sql.conf file I don't use the DEFAULT Profile section nor do we use the
users file.  I've spoken with a few friends and they were able to get this
working but in a flat-file environment (I.e using the users file and using
the DEFAULT you've mentioned below)

Is there a way to get this working with SQL without hacking the SLQ
statements?

I was thinking of modifying the authorization query in sql.conf
(authorize_group_check_query) to utilize a Huntgroup-Name Attribute in the
radgroupcheck table.  Not sure if this will even work. 

Here is the original query:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att
ribute,${g
roupcheck_table}.Value,${groupcheck_table}.op  FROM
${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQ
L-User-Name}' AND ${usergroup_table}.GroupName =
${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"

Here is the proposed changed query:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att
ribute,${g
roupcheck_table}.Value,${groupcheck_table}.op  FROM
${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQ
L-User-Name}' AND ${usergroup_table}.NASGroup = ${groupcheck_table}.NASGroup
ORDER BY ${groupcheck_table}.id"

For the above to work I would have to introduce a new column in the
usergroup table called NASGroup and also in the radcheckgroup table.
This sounds like a lot of work and maybe unnecessary. 

I'm pretty sure this works with huntgroups and flat files...how can I make
it work with SQL?  Will my answer be turning up "Default Profile" under the
sql.conf file of the radius server?

Best regards,
Adrian

-----Original Message-----
From: freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org
[mailto:freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org] On
Behalf Of Adrian
Sent: Tuesday, February 26, 2008 5:09 PM
To: 'FreeRadius users mailing list'
Subject: RE: NAS-Group? - different replies to different NASes?

Thanks Ivan,

I will give that a try.  Thanks for all your help.

Adrian

-----Original Message-----
From: freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org
[mailto:freeradius-users-bounces+adrian=dsl4u.ca at lists.freeradius.org] On
Behalf Of Ivan Kalik
Sent: Tuesday, February 26, 2008 2:37 PM
To: FreeRadius users mailing list
Subject: RE: NAS-Group? - different replies to different NASes?

>
>A: I have a set of "master" tunnel attributes that I always have to send to
>this Telco.
>i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password,
>Tunnel-Server-Endpoint..etc
>The way this Telco obtains these attributes is by sending the
>Username/Password combination my way. (i.e. I need to authenticate
>userxyz at telco.com).  Once I see that user come through from their boxes (3
>Static IPs) I have to send back to them the tunnel attributes above.  Once
>the tunnel attributes were sent, they establish an L2TP tunnel to my LNS
and
>my LNS now asks my Radius server again to authenticate the user.  So I see
>the same userxyz at telco.com requesting to be authenticated.  Since I
>currently cannot distinguish between NASes I am sending the same Tunnel
>Attributes to my LNS which causes my LNS to try to initiate a tunnel back
to
>itself (because the Tunnel-Server-Endpoint attribute is the actual LNS).
>++++++++++++++++++++++++++++++++++++++
>

This is very strange. That information should be on telco radius server,
not yours. It should not have to proxy requests to you. They ought to
know the tunnel endpoint - *they* gave you the IP to set on your router
when they leased you the line.

Simplest thing to do is to create a huntgroup caled LAC and place those
static IPs there. Then put something like this i your users file:

DEFAULT   Huntgroup-Name == "LAC", Auth-Type := Accept
                 Reply-Message = "You are one strange telco",
                 and list other reply attributes that you need to send
them.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list