SV: SV: Make sense of SQL Huntgroup HOWTO?
Joel Bergmark
joel.bergmark at t3.se
Fri Dec 18 17:30:02 CET 2015
Sorry for not being clear enough nor a programmer :)
What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.
That is what I believed that this function aimed to do, and what I cant fix is to get the variables right. but I guess that this should be dynamically checked.
Assuming a user in 2ndline group trying to login to a NAS defined in huntgroup to be 3rdline
update request {
Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" {
}
if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query)
reject
}
Sorry if this is something not supposed to be dealt with on this mailing list, but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.
Thanks for your patience.
Regards, Joel
-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Matthew Newton
Skickat: den 18 december 2015 17:10
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: SV: Make sense of SQL Huntgroup HOWTO?
On Fri, Dec 18, 2015 at 03:51:28PM +0000, Joel Bergmark wrote:
> Thanks for the input, I see that the issue is that I'm not a coder and
> didn't realise the function fully. The howto implies that this will
> check and reject, but I see my misinterpretation.
But what you've got *does* check and reject. It checks to see if the Huntgroup-Name set is blank, and rejects if so.
> But I don’t see how to deny login: if the user is not a member of the
> Houtgroup-Name then reject?
>
> I think the answer to this question should go up on the wiki, I
> emailed with several people that previously asked about this, but
> never got it working and gave up on freeradius.
I'm afraid I'm having trouble trying to understand exactly when you want to reject. When the user is in a particular huntgroup? Or if they are not in a huntgroup? Or something else?
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list