User Groups within FR

Alan DeKok aland at deployingradius.com
Tue May 26 19:56:28 CEST 2015 

On May 26, 2015, at 12:05 PM, Ben Humpert <ben at an3k.de> wrote:
> I know how time consuming it is so have your software well documented
> so that it's easy to read, that others can understand it and that it's
> nearly always up-to-date. So currently there are five, well six
> locations where documentation is available. freeradius.org website,
> freeradius.org wiki, networkradius.com, deployingradius.com, example
> config files and manpages.

- freeradius.org contains HTML versions of the man pages, so there's
  little duplication there

- wiki.freeradius.org is maintained by other people.  It contains
  collections of things about FreeRADIUS, mostly how-to's
  I don't think I've made a serious edit in months

- the example configs in raddb should ALWAYS be up to date,
  and document every configuration item

- the "man" pages are up to date, and document syntax, etc.
  that isn't documented in the configs.  The "man" pages rarely
  change.  Keeping them up to date is easy

- deployingradius.com contains a few how-to's for historical
  purposes.  I don't think I've made a change in years.  That documentation
  is correct, but doesn't need changing.

- networkradius.com/doc/ is in process.  It contains full documentation
  for all of the modules, config, concepts, etc.  It already has 100's of pages,
  and will contain hundreds more.  It's where the bulk of the new documentation
  is going.

> This not only means much more work for you
> (since you have to take care about all the sources) but also more
> hassle for users to find what they need since they have to search all
> these.

  For simple things, read the config.  For a bit more complex things, read the man pages.  For more detail... go to freeradius.org, and follow the links.

  People who google random topics, and then read 10 year-old third party web sites are wasting their time.

  We're also working on updating the freeradius.org web site.  It should look more modern, and have clearer links to the documentation.

> I really would like to help you guys with the documentation stuff so
> that you have more time answering my questions here ... ehm, actually
> I meant to say "bugfixing and improving FreeRADIUS" ;-)

  Sure.  www.freeradius.org is on github.  Feel free to fork it, and submit pull requests.  The same applies to all of the example configs and man pages.

> I really like the versioning behind
> http://networkradius.com/doc/current/ but I think the easiest way
> would be to use the wiki, setting it up as read-only and only grant
> "good people" write access. Or grant write access to everybody but
> every change not made by "good people" has to be verified before it's
> published.

  For a variety of reasons, that won't work.  The people who understand FreeRADIUS usually don't have the time to write huge amounts of documentation.  I've started doing it because FreeRADIUS is my full-time job.  I've been investing real $$$ into the documentation.  So that it looks good, is well organized, is copy edited, and is easy to find things.

  Maybe once that's all online, I can put it into "git" and accept patches.  Until then, it's still in a state of change.

> I used this in my config but when I check the attribute it contains
> "ssid1,ssid2".
> 
> /etc/freeradius/mods-enabled/groups
> format = "~My-Group-Name:,~My-Called-Station-Ssid:*,User-Name"

  Use commas only at the end.  And I'm not sure what you're doing there.  The passwd module doesn't allow multiple values for multiple attributes.  It allows multiple values for ONE attribute, and then ONLY at the end of the list.

  See raddb/mods-available/etc_group for an example.  Use that format, while knowing that you don't need multiple ":":

format = ~My-Group-Name:*,User-Name

  and in the file:

groupA:user1,user2,user3
groupB:user3,user4,user5

> Anyway, what does the comma actually should do?

  It allows multiple values for the LAST attribute in a list.  Just like the etc_group example.  If you want something more complex, you'll have to use something else.

  I'd suggest keeping things simple.  If users are allowed to connect to a restricted set of SSIDs, then put the users into groups: "permissive" and "restricted".  Then, do group checking against the SSIDs.

  If you have 2-3 SSIDs, this is the simplest way to do it.  If you have 100's of SSIDs, I have to question why that's done...

  Alan DeKok.

More information about the Freeradius-Users mailing list