using huntgroups to restrict users in particular groups
Alan DeKok
aland at deployingradius.com
Fri May 29 23:13:16 CEST 2020
On May 29, 2020, at 2:53 PM, Root, Paul T via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.
OK.
> We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.
That should be possible.
> I'm following the how-to for SQL-Huntgroups. https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO
>
> MariaDB [radius]> select * from radhuntgroup;
> +----+-----------------+----------------------+--------------+
> | id | groupname | nasipaddress | nasportid |
> +----+----------------+-----------------------+--------------+
> | 1 | group1 | 10.161.161.0/24 | 0 |
> | 2 | group2 | 10.139.63.0/24 | 0 |
> +----+---------------+------------------------+-------------+
Netmasks really won't work there. There's a reason the field is called "IP address".
> MariaDB [radius]> select * from radusergroup;
> +---------------+-----------------+-----------+
> | username | groupname | priority |
> +---------------+-----------------+-----------+
> | paul | usergroup1 | 0 |
> | ptr | usergroup2 | 0 |
> +---------------+-----------------+-----------+
>
> MariaDB [radius]> select * from radgroupcheck;
> +----+--------------------------------------+-------------------+-----+-----------+
> | id | groupname | attribute | op | value |
> +----+--------------------------------------+-------------------+-----+-----------+
> | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
> | 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
> | 3 | usergroup1 | Huntgroup-Name | == | group1 |
> | 4 | usergroup2 | Huntgroup-Name | == | group2 |
> +----+--------------------------------------+-------------------+-----+-----------+
See the Wiki for how the SQL module works: https://wiki.freeradius.org/modules/Rlm_sql
That configuration just says "match user group 1 if hunt group name is group2". It doesn't *do* anything with that result.
> However, both users can connect to either huntgroup.
>
> I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?
By default, FreeRADIUS authenticates all valid users, and allows them network access. If you want something else, you have to write those policies. So this isn't just "match group X", it's
if user in group X
and user is coming from hunt group Y
then
allow
else
reject
i.e. write your policies as English first. It should then be reasonably simple to convert them to "unlang".
> I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.
>
> update request {
> Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"
>
> # only allow usergroup1 to group1
> if (SQL-Group == "usergroup1") {
> if (Huntgroup-Name != "group1") {
> reject
> }
> }
> }
>
> /etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format
That is the line with the "if" statement.
> That's simplified but pretty much straight out of the how-to.
You've edited it to rearrange the braces. The braces are important.
The "update" statement just contains "attribute = value". It doesn't contain "if" or any other keyword.
Rewrite that and post the debug output.
Alan DeKok.
More information about the Freeradius-Users
mailing list