Huntgroup Implementation with MySQL and Radgroupcheck
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 26 11:07:49 CEST 2012
On 07/26/2012 09:51 AM, Jenny Blunt wrote:
> I'm looking for some help with the implementation of huntgroups.
>
> Am using mysql and have followed the following topic through:
>
>
> http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html
>
> In sites-available/default I have this, (just after preprocess:
>
> update request {
> Huntgroup-Name := "%{sql:SELECT `groupname` FROM
> `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
> }
Don't do this.
Read the 2nd email in the thread you linked to.
Huntgroup-Name is a special attribute; comparisons are executed
dynamically. You can't just use it like an ordinary string attribute.
Define another attribute in raddb/dictionary:
ATTRIBUTE SQL-Location 3010 string
...and use that.
> authorize_group_check_query = "SELECT id, groupname, attribute_name, \
> Value, op \
> FROM ${groupcheck_table} \
> WHERE ( groupname = '%{Sql-Group}' OR groupname =
> '%{Huntgroup-Name}' ) \
> ORDER BY id"
>
> (Which doesn't make logical sense to me)
It doesn't make sense to me either. So why do it?
>
> What I'm failing to get my head around is how to reject or allow access
> based on the location their dialing in from?
>
> For example, a user from IP 1.x.x.x should be allowed access at location
> 1 only.
I don't know what this means.
Write down the policy you want in plain english. Figure out what sources
of data you need to execute that policy. Read those sources of data into
attributes. Write a policy to check them.
For example:
authorize {
update request {
SQL-Location = "%{sql:select location from ...}"
}
if (NAS-IP-Address =~ /^1\./) {
if (SQL-Location != "Location 1") {
reject
}
}
}
More information about the Freeradius-Users
mailing list