Freeradius3 + SQL -> radusergroup check is not matched

Martin Bednar mato.bednar at gmail.com
Mon May 22 16:16:15 CEST 2017 

Hello,

if anyone would be interested in future - my problem was quite simple:

for eap module I didn't enable

copy_request_to_tunnel = yes

so it makes sense now that there was no match in radgroupcheck as
there was no value to compare.

# vi mods-available/eap

ttls {
       copy_request_to_tunnel = yes
}

peap {
       copy_request_to_tunnel = yes
}

Regards,

Martin

On Mon, May 15, 2017 at 8:57 PM, Martin Bednar <mato.bednar at gmail.com> wrote:
> Hello Alan,
>
> again thanks for your time. The goal is simple. When is user
> connecting to the wireless network he is asked for username/password
> if there is a match and at the same time he is allowed to use this
> SSID he is authenticated.
>
> username/password check should happen in radcheck table
> SSID check should happen in radusergroup table
>
>>> MariaDB [radius]> select * from radgroupreply where groupname =
>
>>> "SSID_EMPL-Test";
>>> +----+----------------+-----------+----+--------+
>>> | id | groupname      | attribute | op | value  |
>>> +----+----------------+-----------+----+--------+
>>> |  6 | SSID_EMPL-Test | Auth-Type | :=  | Accept |
>>> +----+----------------+-----------+----+--------+
>>> 1 row in set (0.00 sec)
>
>>  i.e. anyone who logs into the  EMPL-Test SSID gets accepted?
>
> You're right - that's not right. In this case even if the
> username/password would be wrong user would receive Access Accept. I
> believe that normally there is no need for radgroupreply item because
> Access Accept/Reject is already set from radcheck.
>
> Would it works like this ?
>
> Check user in radcheck -> is  username/passsword are ok -> Accept
> otherwise Reject
> Check user in radgroupcheck -> for allowed SSID there would be group
> with no reply action -> if no match last group (highest priority)
> would be Reject which would be always matched.
>
>
> Yes solution proposed by you looks straightforward and would probably
> work but I have no idea where I should put that condition and I'm
> afraid that if I'd go this direction it would bring more questions
> than answers.
>
> Thanks for help
> --
> "Martin Bednar"



-- 
"Martin Bednar"
(mato.bednar at gmail.com)

More information about the Freeradius-Users mailing list