SV: Make sense of SQL Huntgroup HOWTO?

Joel Bergmark joel.bergmark at t3.se
Fri Dec 18 21:38:02 CET 2015


I'm not sure I have been clear enough.

If conditions below is achieved ie, it's determined that user is 2ndline and nas is 3rdline then it's supposed to be rejected? If so then its not working since the radius allows access. If not, then I probably haven’t made myself understood, if user is recognized as 2ndline attempting to login to something belonging to 3rdline it should be rejected.

Perhaps something more like this would work as described?

        update request {
                Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
        }
                if ((Huntgroup-Name == "2ndline" || SQL-Group != "2ndline")) {
                reject
        }

Regards, Joel

-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Alan DeKok
Skickat: den 18 december 2015 18:37
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: Make sense of SQL Huntgroup HOWTO?

On Dec 18, 2015, at 12:31 PM, Joel Bergmark <joel.bergmark at t3.se> wrote:
> 
> Thank you for the help! Indeed this looks more simplistic and nice! :)
> 
> Everything is in the SQL, necessary since using daloradius as fronted.

 OK.

> Just a follow up on: 	
> 	if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
> 		reject
> 	}
> How to determine the 'SQL-Group' in  a simple way? Tried it as is to see how it behaved, and got:

  What's "how to determine"?  As I said, you put the user / group into SQL.  The SQL module has documentation for how this is done.

> +- entering group authorize {...}
> sql_xlat
>        expand: %{User-Name} -> bl
> sql_set_user escaped user --> 'bl'
>        expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170'
> rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql 
> (sql): Released sql socket id: 3
>        expand: %{sql:SELECT groupname FROM radhuntgroup WHERE 
> nasipaddress='%{NAS-IP-Address}'} -> 3rdline

  That's pretty clear.

> ++[request] returns not found
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
> ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE

  Because it's '3rdline'

> ?? Skipping (SQL-Group != "2ndline")
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> 
> ++FALSE [chap] returns noop

  And it's not checking SQL-Group.  Because the Huntgroup-Name doesn't match.

  Reading the debug output helps.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list