multiple huntgroups for the same NAS-IP-ADDRESS
ERIC TANGUY
eric.tanguy at arkea.com
Wed Oct 14 10:10:39 CEST 2015
Hello
I use freeradius 3.0.9 and I want to define multiple huntgroups for the same NAS-IP-ADDRESS into the huntgroup file.
I 'm using mysql and have followed the following topic
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html
In sites-available/myconfig I have this ( just after preprocess )
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
####### Ajout fonction check Nas ip address
update request {
Huntgroup-Name := "%{sqldbvradius1-a:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
}
if (Huntgroup-Name =~ /^$/) {
# empty string; try 2nd sql
update request {
Huntgroup-Name := "%{sqldbvradius1-b:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
}
}
##############################
In my radgroupcheck Mysql table
select * from radgroupcheck;
+----+--------------+----------------+----+-------------+
| id | groupname | attribute | op | value |
+----+--------------+----------------+----+-------------+
| 1 | AdminRI | Auth-Type | := | LDAPARKEA |
| 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP |
| 3 | AdminRI_RSA | Auth-Type | := | PAMRSA |
| 4 | AdminRI | Huntgroup-Name | =~ | Pool1|Pool2 |
| 5 | AdminRI_MOTP | Huntgroup-Name | =~ | Pool3|Pool2 |
| 6 | AdminRI_RSA | Huntgroup-Name | =~ | Pool3|Pool2 |
+----+--------------+----------------+----+-------------+
6 rows in set (0.00 sec)
In my radhuntgroup Mysql table
select * from radhuntgroup ;
+----+----------+-------+---------------+----------------+-----------+
| id | Location | Zone | huntgroupname | nasipaddress | nasportid |
+----+----------+-------+---------------+----------------+-----------+
| 1 | rennes | verte | Pool1 | 10.154.253.1 | |
| 2 | rennes | verte | Pool1 | 10.154.253.2 | |
| 3 | rennes | verte | Pool1 | 10.154.253.3 | |
| 4 | rennes | verte | Pool2 | 10.154.253.236 | |
| 5 | rennes | verte | Pool3 | 10.154.253.4 | |
+----+----------+-------+---------------+----------------+-----------+
5 rows in set (0.00 sec)
An extract of my radusergroup mysql table
select * from radusergroup;
+------------+--------------+----------+
| username | groupname | priority |
+------------+--------------+----------+
| a0327 | AdminRI | 1 |
| a0327_motp | AdminRI_MOTP | 1 |
| a0327_rsa | AdminRI_RSA | 1 |
+------------+--------------+----------+
36 rows in set (0.00 sec)
My debug log
Ready to process requests
(1) Received Access-Request Id 125 from 10.241.33.1:39902 to 10.239.131.11:1812 length 102
(1) User-Name = "a0327_rsa"
(1) User-Password = "XXXXXXXX"
(1) NAS-Port = 2
(1) NAS-Port-Id = "tty2"
(1) NAS-Port-Type = Virtual
(1) NAS-IP-Address = 10.154.253.236
(1) Event-Timestamp = "Oct 9 2015 17:15:43 CEST"
(1) Message-Authenticator = 0xea12faeecab79952f4c77f43f464894e
(1) Proxy-State = 0x313936
(1) # Executing section authorize from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/myconfig
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) update request {
(1) EXPAND %{User-Name}
(1) --> a0327_rsa
(1) SQL-User-Name set to 'a0327_rsa'
rlm_sql (sqldbvradius1-a): Reserved connection (4)
(1) Executing select query: SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='10.154.253.236'
rlm_sql (sqldbvradius1-a): Released connection (4)
rlm_sql (sqldbvradius1-a): 0 of 7 connections in use. Need more spares
rlm_sql (sqldbvradius1-a): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'dbvradius1' on radiustux1-a.l.infra.arkea.com via TCP/IP, server version 5.6.24-enterprise-commercial-advanced-log, protocol version 10
(1) EXPAND %{sqldbvradius1-a:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}
(1) --> Pool2
(1) Huntgroup-Name := Pool2
(1) } # update request = noop
(1) if (Huntgroup-Name =~ /^$/) {
(1) if (Huntgroup-Name =~ /^$/) -> FALSE
(1) underscore: Checking for suffix after "_"
(1) underscore: Looking up realm "rsa" for User-Name = "a0327_rsa"
(1) underscore: Found realm "rsa"
(1) underscore: Adding Stripped-User-Name = "a0327"
(1) underscore: Adding Realm = "rsa"
(1) underscore: Authentication realm is LOCAL
(1) [underscore] = ok
(1) arobase: Request already has destination realm set. Ignoring
(1) [arobase] = noop
(1) [files] = noop
(1) group {
(1) sqldbvradius1-a: EXPAND %{User-Name}
(1) sqldbvradius1-a: --> a0327_rsa
(1) sqldbvradius1-a: SQL-User-Name set to 'a0327_rsa'
rlm_sql (sqldbvradius1-a): Reserved connection (0)
(1) sqldbvradius1-a: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sqldbvradius1-a: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'a0327_rsa' ORDER BY id
(1) sqldbvradius1-a: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'a0327_rsa' ORDER BY id
(1) sqldbvradius1-a: User found in radcheck table
(1) sqldbvradius1-a: Conditional check items matched, merging assignment check items
(1) sqldbvradius1-a: Expiration := "Dec 30 2035 00:00:00 CET"
(1) sqldbvradius1-a: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sqldbvradius1-a: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'a0327_rsa' ORDER BY id
(1) sqldbvradius1-a: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'a0327_rsa' ORDER BY id
(1) sqldbvradius1-a: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sqldbvradius1-a: --> SELECT groupname FROM radusergroup WHERE username = 'a0327_rsa' ORDER BY priority
(1) sqldbvradius1-a: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'a0327_rsa' ORDER BY priority
(1) sqldbvradius1-a: User found in the group table
(1) sqldbvradius1-a: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sqldbvradius1-a-SQL-Group}' ORDER BY id
(1) sqldbvradius1-a: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'AdminRI_RSA' ORDER BY id
(1) sqldbvradius1-a: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'AdminRI_RSA' ORDER BY id
rlm_sql (sqldbvradius1-a): Released connection (0)
(1) [sqldbvradius1-a] = ok
(1) } # group = ok
(1) expiration: Account will expire at 'Dec 30 2035 00:00:00 CET'
(1) [expiration] = ok
(1) [logintime] = noop
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [a0327_rsa] (from client proxyradiustux1-a port 2)
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/vradius1-a
(1) Post-Auth-Type REJECT {
(1) redundant (null) {
(1) sqldbvradius1-a: EXPAND .query
(1) sqldbvradius1-a: --> .query
(1) sqldbvradius1-a: Using query template 'query'
rlm_sql (sqldbvradius1-a): Reserved connection (5)
(1) sqldbvradius1-a: EXPAND %{User-Name}
(1) sqldbvradius1-a: --> a0327_rsa
(1) sqldbvradius1-a: SQL-User-Name set to 'a0327_rsa'
(1) sqldbvradius1-a: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sqldbvradius1-a: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'a0327_rsa', '2812525337', 'Access-Reject', '2015-10-09 17:15:43')
(1) sqldbvradius1-a: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'a0327_rsa', '2812525337', 'Access-Reject', '2015-10-09 17:15:43')
(1) sqldbvradius1-a: SQL query returned: success
(1) sqldbvradius1-a: 1 record(s) updated
rlm_sql (sqldbvradius1-a): Released connection (5)
(1) [sqldbvradius1-a] = ok
(1) } # redundant (null) = ok
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> a0327_rsa
(1) attr_filter.access_reject: Matched entry DEFAULT at line 18
(1) [attr_filter.access_reject] = updated
(1) eap: Request didn't contain an EAP-Message, not inserting EAP-Failure
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 2.000000 seconds
Waking up in 0.2 seconds.
Waking up in 1.7 seconds.
If I replcae my radgroupcheck;
+----+--------------+----------------+----+-------------+
| id | groupname | attribute | op | value |
+----+--------------+----------------+----+-------------+
| 1 | AdminRI | Auth-Type | := | LDAP |
| 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP |
| 3 | AdminRI_RSA | Auth-Type | := | PAMRSA |
| 4 | AdminRI | Huntgroup-Name | =~ | Pool1|Pool2 |
| 5 | AdminRI_MOTP | Huntgroup-Name | =~ | Pool3|Pool2 |
| 6 | AdminRI_RSA | Huntgroup-Name | =~ | Pool3|Pool2 |
+----+--------------+----------------+----+-------------+
with this
+----+--------------+----------------+----+-------------+
| id | groupname | attribute | op | value |
+----+--------------+----------------+----+-------------+
| 1 | AdminRI | Auth-Type | := | LDAP |
| 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP |
| 3 | AdminRI_RSA | Auth-Type | := | PAMRSA |
| 4 | AdminRI | Huntgroup-Name | == | Pool1|
| 5 | AdminRI_MOTP | Huntgroup-Name | == | Pool3 |
| 6 | AdminRI_RSA | Huntgroup-Name | == | Pool2 |
+----+--------------+----------------+----+-------------+
It 's a success but it's not what I want
I want to use multiple huntgroups for the same NAS-Ip-Address
What is the right configuration ?
Is it possible to do and how ?
Regards
--
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. Tout
message etant susceptible d'alteration, l'emetteur decline toute
responsabilite au titre de ce message s'il a ete altere, deforme ou
falsifie.
-----------------------------------
This message and any attachments (the "message") are confidential and
intended solely for the addressees. Any unauthorised use or
dissemination is prohibited. As e-mails are susceptible to alteration,
the issuer shall not be liable for the message if altered, changed
or falsified.
More information about the Freeradius-Users
mailing list