using huntgroups to restrict users in particular groups

Root, Paul T Paul.Root at CenturyLink.com
Fri May 29 20:53:09 CEST 2020


Hi,
                I'm new to FreeRadius.   I've built a test server  with freeradius  3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.

                We are just starting into radius authentication. We just want it for logging into routers and switches for administration work.   What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.

                I'm following the how-to for SQL-Huntgroups. https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO

MariaDB [radius]> select * from radhuntgroup;
+----+-----------------+----------------------+--------------+
| id | groupname |  nasipaddress    | nasportid |
+----+----------------+-----------------------+--------------+
|  1 |    group1     | 10.161.161.0/24 | 0               |
|  2 |    group2     | 10.139.63.0/24   | 0               |
+----+---------------+------------------------+-------------+



MariaDB [radius]> select * from radusergroup;
+---------------+-----------------+-----------+
| username | groupname  | priority |
+---------------+-----------------+-----------+
| paul            | usergroup1 |        0     |
| ptr              | usergroup2 |        0     |
+---------------+-----------------+-----------+

MariaDB [radius]> select * from radgroupcheck;
+----+--------------------------------------+-------------------+-----+-----------+
| id | groupname                 | attribute                      | op |  value   |
+----+--------------------------------------+-------------------+-----+-----------+
|  1 | daloRADIUS-Disabled-Users | Auth-Type      | :=  | Reject   |
|  2 | daloRADIUS-Disabled-Users | Auth-Type      | :=  | Reject   |
|  3 | usergroup1                |   Huntgroup-Name     | == | group1 |
|  4 | usergroup2                |   Huntgroup-Name     | == | group2 |
+----+--------------------------------------+-------------------+-----+-----------+


However, both users can connect to either huntgroup.

I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?

I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.

        update request {
                Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"

                # only allow usergroup1 to group1
                if (SQL-Group == "usergroup1") {
                        if (Huntgroup-Name != "group1") {
                                reject
                        }
                }
        }

/etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format

That's simplified but pretty much straight out of the how-to.


I'm not stuck on the idea of daloradius or even SQL. But the user space will be managing, and they want a web admin. I could write my own simple one, as all we need to manage is users and huntgroups.


Any ideas here?


Thanks,
Paul.


Paul Root
Lead Operations Engineer    - IT Managed Services
390 Commerce Dr
Woodbury, Mn 55125
651-312-5207  paul.root at centurylink.com

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.


More information about the Freeradius-Users mailing list