SV: SV: Make sense of SQL Huntgroup HOWTO?

Joel Bergmark joel.bergmark at t3.se
Fri Dec 18 17:30:02 CET 2015 

Sorry for not being clear enough nor a programmer :)

What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.

That is what I believed that this function aimed to do, and what I cant fix is to get the variables right. but I guess that this should be dynamically checked.

Assuming a user in 2ndline group trying to login to a NAS defined in huntgroup to be 3rdline 
update request {
        Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" {
        }
        if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query)
        reject
        }

Sorry if this is something not supposed to be dealt with on this mailing list, but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.

Thanks for your patience.
Regards, Joel



-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Matthew Newton
Skickat: den 18 december 2015 17:10
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: SV: Make sense of SQL Huntgroup HOWTO?

On Fri, Dec 18, 2015 at 03:51:28PM +0000, Joel Bergmark wrote:
> Thanks for the input, I see that the issue is that I'm not a coder and 
> didn't realise the function fully. The howto implies that this will 
> check and reject, but I see my misinterpretation.

But what you've got *does* check and reject. It checks to see if the Huntgroup-Name set is blank, and rejects if so.

> But I don’t see how to deny login: if the user is not a member of the 
> Houtgroup-Name then reject?
> 
> I think the answer to this question should go up on the wiki, I 
> emailed with several people that previously asked about this, but 
> never got it working and gave up on freeradius.

I'm afraid I'm having trouble trying to understand exactly when you want to reject. When the user is in a particular huntgroup? Or if they are not in a huntgroup? Or something else?

Matthew


--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list