More Info: Setting group membership

inetjunkmail inetjunkmail at gmail.com
Wed Nov 10 16:15:01 CET 2010 

Debug info below

On Tue, Nov 9, 2010 at 2:09 PM, inetjunkmail <inetjunkmail at gmail.com> wrote:

> I know I'm missing something obvious but I'm stuck here so I apologize in
> advance for the silly question.
>
> I'm using freeradius 2.1.7.
>
> I'm using the "files" option for all processes but I want to use user
> groups so I can reference them in my huntgroups definitions as groups of
> users permitted to authentication to that group of devices.  I tried
> modifying the etc_group module and the group is correctly determined but it
> takes place after the huntgroup decision making process done by
> "preprocessing" so the match condition for the huntgroup fails.  I then
> inserted the module before "preprocessing" in my sites-available/default
> file and the group is correctly determined prior to preprocessing but it
> doesn't seem to match the test condition.  Snippets of config are below.
> Any guidance would be appreciated.
>
> modules/My-Group-Name
> -----
> passwd My-Group-Name {
>     filename = /etc/raddb/group
>     format = "=My-Group-Name:*,User-Name"
>     hashsize = 50
>     ignorenislike = yes
>     allowmultiplekeys = yes
>     delimiter = ":"
> }
> -----
>
> dictionary
> -----
> ATTRIBUTE    My-Group-Name        3000    string
> -----
>
> group
> -----
> telecom:test1
> hg1admin:test2
>
> huntgroups
> -----
> hg1     NAS-IP-Address =~ "^10\.69\.1\..*"
>         My-Group-Name == telecom,
>         My-Group-Name == hg1admin,
> -----
>
> users
> -----
> test1    Cleartext-Password := "password1"
> test2    Cleartext-Password := "password2"
> -----
>
> I've inserted the My-Group-Name module at various locations within
> sites-available/default with no luck.  Again, ant guidance would be
> appreciated.
>
>
>
> Here is some debug info.  The group name is assigned but the huntgroup
match still fails.  Can someone provide insight as to why?

Ready to process requests.
rad_recv: Access-Request packet from host 10.69.1.10 port 1645, id=69,
length=76
    User-Name = "test1"
    User-Password = "password1"
    NAS-Port = 0
    NAS-Port-Id = "tty0"
    NAS-Port-Type = Async
    Calling-Station-Id = "async"
    NAS-IP-Address = 10.69.1.10
+- entering group authorize {...}
[My-Group-Name] Added My-Group-Name: 'telecom' to reply_items
++[My-Group-Name] returns ok
[preprocess]     expand: %{NAS-IP-Address} -> 10.69.1.10
[preprocess] No huntgroup access: [test1] (from client k12 port 0 cli async)
++[preprocess] returns reject
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 69 to 10.69.1.10 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 69 with timestamp +16
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101110/f67a8fff/attachment.html>

More information about the Freeradius-Users mailing list