user belonging to multiple groups in rlm_passwd
Rafal Weglarz
rafal.weglarz+ml at gmail.com
Wed Jun 8 12:21:32 CEST 2011
Dear freeradius-users,
I'm trying to configure different access to users based on group membership.
What I would like to achieve is that userA is allowed only through
NAS-Port1, UserB through NAS-Port2 and userALL through both.
It seems to work OK as long as each user is only in one group. If I
put one user in two groups he is not able to login. My configuration
is as follows:
FreeRADIUS Version 2.1.7
passwd usergroups {
filename = /etc/raddb/usergroups
format = "~ML-Group:*,User-Name"
hashsize = 0
ignorenislike = yes
}
usergroup is called before files in authorize section
file usergroups:
siteA:userA,userAll
siteB:userB,userAll
file users:
DEFAULT NAS-Port==1,ML-Group!="siteA",Auth-type:=Reject
DEFAULT NAS-Port==2,ML-Group!="siteB",Auth-type:=Reject
userA Cleartext-password := "qaz123"
NS-Admin-Privilege := Read-Only-Admin
userB Cleartext-password := "qaz123"
NS-Admin-Privilege := Read-Only-Admin
userAll Cleartext-password := "qaz123"
NS-Admin-Privilege := Root-Admin
DEFAULT Auth-type:= Reject
fragment of debug log for user userALL:
[usergroups] Added ML-Group: 'siteA' to request_items
[usergroups] Added ML-Group: 'siteB' to request_items
++[usergroups] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [userAll] (from client localhost port 1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> userAll
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
best regards
rafal weglarz
More information about the Freeradius-Users
mailing list