Newbie questions for freeradius
Alan DeKok
aland at deployingradius.com
Wed Jul 3 08:41:27 CEST 2019
On Jul 2, 2019, at 11:24 PM, Root, Paul T <Paul.Root at CenturyLink.com> wrote:
>
> I am looking into using freeradius here for multiple client setups and I'm learning as I go.
>
> My configuration is CentOS 7, and freeradius 3.0.13 - straight from the CentOS repos.
>
> I have 2 different setups, one using the normal flat files, and one using mysql.
>
> So my first problem. The flat file machine. It rejects every request. And I have just the most basic example from the FreeRadius Beginners Guide. That is actually written for FreeRadius 2.0 , it could be a problem.
You're editing file A. The server is reading file B.
Read the debug output to see what he "files" module is doing. It will print out the name of the file it's reading. Then, edit that file.
> The mysql instance is working better, following directions from daloradius, I've got it working for users that aren't in User-groups. With various clients:
> radtest locally
> radtest on a second system
> NTRadPing from a windows 10 box
> From a Cisco switch with AAA authentication.
>
> What I need though, is to authenticate from a cisco (and probably other vendors) machines to a group. There will be groups of NASes that need to authenticate to specific groups inside radius. And maybe multiple groups (one group and users that aren't in a group would probably be acceptable).
>
> Does that make sense? I don't understand the difference in daloradius between "User-Groups", "Profiles", "HuntGroups", and "Realms".
Huntgroups are historically groups of NASes or lines for telephone numbers. Realm are domain names. Ignore the rest.
FreeRADIUS uses databases for group membership. You can create a custom file-based group list with the "passwd" module. See mods-available/etc_group for an example.
You can change the attribute name from "Etc-Group-Name" to "NAS-Group", and then point the "filename" to a local file that you create. e.g.
passwd nas_group {
filename = ${confdir}/nas_group
format = "=NAS-Group-Name:::*,NAS-IP-Address"
hash_size = 50
ignore_nislike = yes
allow_multiple_keys = yes
delimiter = ":"
}
Also add "NAS-Group-Name" to the dictionary, too.
Then create a "nas_group" file in the configuration directory. Use the same format as /etc/groups, but use IP addresses instead of names.
Then add it to the "authorize" section:
authorize {
nas_group
...
}
And after the "nas_group" module runs, you can do things like:
if (NAS-Group == "named-group") {
... stuff ...
}
and it will match. You can do the same with other modules / files / attributed.
Alan DeKok.
More information about the Freeradius-Users
mailing list