Restricting access for some devices to some groups
Alan DeKok
aland at deployingradius.com
Mon Aug 7 16:59:18 UTC 2023
On Aug 7, 2023, at 11:58 AM, Jarosław Kłopotek <jkl at interduo.pl> wrote:
> Hi, I would like to restrict access to some devices (using ipaddresses).
>
> How do You assign group privileges with freeradius?
Define a group. Then if the group matches, assign authorization.
> (I tried to find some docs but without good results)
Yes, there is no documentation on exactly what you want to do. The documentation instead describes how the server works. It lets you put the pieces together.
> I try:
> In SQL database:
> 1. I added table "nasgrouprestrictions" (id, nasname, groupname),
The server doesn't look at that group, so you will need to update the configuration to run a SELECT query to search the table.
> 2. I created group "superadm" and assigned users in table radusergroup,
> login1, login2 are in "users" group
> login3 is in "superadm" and "users" group
Ok...
> How to allow:
> login3 to login into all 10.100.0.{1,2,3} hosts
> and
> login1, login2 to login into only 10.100.0.{1,3} hosts ?
>
> But where to put SQL query?
In the "authorize" section.
if ((User-Name == "login3") && ("%{sql:SELECT ...}" == "...") {
... do stuff
}
The initial problem is *not* "how do I configure FreeRADIUS". The initial problem is to write down a set of rules you want FreeRADIUS to follow. Write the rules down as simple sentences, with as much detail as possble:
if the user is "login"
use the NAS address from the Access-Accept to look up the group name in the nasgrouprestrictions table
...
etc.
Once you have a clear description of the problem you want to solve, it's a lot easier to configure FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list