user belonging to multiple groups in rlm_passwd

Rafal Weglarz rafal.weglarz+ml at gmail.com
Wed Jun 8 12:21:32 CEST 2011


Dear freeradius-users,
I'm trying to configure different access to users based on group membership.
What I would like to achieve is that userA is allowed only through
NAS-Port1,  UserB through NAS-Port2 and userALL through both.
It seems to work OK as long as each user is only in one group. If I
put one user in two groups he is not able to login. My configuration
is as follows:



FreeRADIUS Version 2.1.7

passwd usergroups {
       filename = /etc/raddb/usergroups
       format = "~ML-Group:*,User-Name"
       hashsize = 0
       ignorenislike = yes
}

usergroup is called before files in authorize section

file usergroups:
siteA:userA,userAll
siteB:userB,userAll

file users:
DEFAULT NAS-Port==1,ML-Group!="siteA",Auth-type:=Reject
DEFAULT NAS-Port==2,ML-Group!="siteB",Auth-type:=Reject
userA   Cleartext-password := "qaz123"
       NS-Admin-Privilege := Read-Only-Admin
userB   Cleartext-password := "qaz123"
       NS-Admin-Privilege := Read-Only-Admin
userAll Cleartext-password := "qaz123"
       NS-Admin-Privilege := Root-Admin
DEFAULT Auth-type:= Reject

fragment of debug log for user userALL:
[usergroups] Added ML-Group: 'siteA' to request_items
[usergroups] Added ML-Group: 'siteB' to request_items
++[usergroups] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [userAll] (from client localhost port 1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> userAll
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

best regards
rafal weglarz



More information about the Freeradius-Users mailing list