how to use groups within freeradius

Ken Felix kfelix at jdltech.com
Mon Jun 27 22:29:46 CEST 2011 

Can anybody post a simple howto with regards to using groups within freeradius?  What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined  


mysql> select * from usergroup ;
+------------------+-------------+----------+
| UserName         | GroupName   | priority |
+------------------+-------------+----------+
|                  | login users |        1 |
| asa1.test        | adminasa    |        1 |
| test.user        | Login users |        1 |
+------------------+-------------+----------+


and


mysql> select * from radgroupcheck ;
+----+-----------+----------------+----+----------------+
| id | GroupName | Attribute      | op | Value          |
+----+-----------+----------------+----+----------------+
|  1 | adminasa  | NAS-IP-Address | == | 10.252.128.11  |
|  2 | adminasa  | NAS-IP-Address | == | 10.252.253.199 |
|  3 | adminasa  | NAS-IP-Address | == | 10.250.32.68   |
|  4 | adminasa  | NAS-IP-Address | == | 10.250.32.69   |
|  5 | adminasa  | NAS-IP-Address | == | 10.254.32.68   |
|  6 | adminasa  | NAS-Identifier | == | 10.252.128.11  |
+----+-----------+----------------+----+----------------+
6 rows in set (0.00 sec)




debug shows the following;





Sending Access-Reject of id 10 to 10.159.103.154 port 1812
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67
        User-Name = "asa1.test"
        User-Password = "33333333333330"
        NAS-IP-Address = 10.252.128.11
        NAS-Port = 43
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
  modcall[authorize]: module "preprocess" returns ok for request 18
  modcall[authorize]: module "chap" returns noop for request 18
  modcall[authorize]: module "mschap" returns noop for request 18
    rlm_realm: No '@' in User-Name = "asa1.test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 18
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 18
  modcall[authorize]: module "files" returns notfound for request 18
radius_xlat:  'asa1.test'
rlm_sql (sql): sql_set_user escaped user --> 'asa1.test'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'asa1.test'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'asa1.test'           ORDER BY id
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'asa1.test'           ORDER BY id'
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'asa1.test'           ORDER BY id
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns ok for request 18
modcall: leaving group authorize (returns ok) for request 18
auth: type Crypt
Login OK: [asa1.test] (from client SBBC port 43)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 18
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'asa1.test'
rlm_sql (sql): sql_set_user escaped user --> 'asa1.test'
radius_xlat:  'INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')'
radius_xlat:  '/var/log/freeradius/sqltrace.sql'
rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')
rlm_sql (sql): Released sql socket id: 2
  modcall[post-auth]: module "sql" returns ok for request 18
modcall: leaving group post-auth (returns ok) for request 18
Sending Access-Accept of id 40 to 10.252.128.11 port 1025
        Service-Type = Dialout-Framed-User
Finished request 18
Going to the next request



So I need some starting point of what/where to look at. Thanks

More information about the Freeradius-Users mailing list