Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users
Levin, Vladimir
vladlevin at geo-logic.com
Thu Sep 5 10:12:30 CEST 2019
Hi Fajar,
After reading your reply I've realized that, since all Synology users belong to the "users" group, I can simply use that value in the Class statement. And it worked! Now all that's left to do is to include "admin" group for router administration, but it looks like there's a syntax error in the 2nd line of the code I came up with:
update reply {
if (&User-Name == "cisco") {
Class := "admin"
}
else {
Class := "users"
}
}
Could you tell me what I'm doing wrong?
Thanks a lot,
vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=geo-logic.com at lists.freeradius.org] On Behalf Of Fajar A. Nugraha
Sent: Wednesday, September 04, 2019 10:04 PM
To: FreeRadius users mailing list
Subject: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users
On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <vladlevin at geo-logic.com> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.
Does freeradius get the same information from that database?
> My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router). Here's what I did (working config files are located in /usr/local/synoradius/):
> 1. Created /usr/local/synoradius/groups file with the following content:
> update reply {
> Class := "%{Group}"
> }
Have you determined that %{Group} actually contain the correct group?
> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type Date & Time Event
> 2019-09-04 18:59:06 Info Ready to process requests
> 2019-09-04 18:59:06 Debug (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01 Debug Waking up in 4.9 seconds.
> 2019-09-04 18:59:01 Debug (0) Finished request
> 2019-09-04 18:59:01 Debug (0) Class := 0x
Looking at this, it seems that %{Group} is expanded to null.
Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.
If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.
In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list