Restricting access for some devices to some groups

jkl at interduo.pl jkl at interduo.pl
Mon Aug 7 19:07:00 UTC 2023 

W dniu 2023-08-07 18:59, Alan DeKok napisał(a):

>> But where to put SQL query?
> 
>   In the "authorize" section.

Thanks a lot. :)

>  The initial problem is *not* "how do I configure FreeRADIUS".  The 
> initial problem is to write down a set of rules you want FreeRADIUS to 
> follow.  Write the rules down as simple sentences, with as much detail 
> as possble:
> 
> 	if the user is "login"
> 		use the NAS address from the Access-Accept to look up the group name 
> in the nasgrouprestrictions table
> 		...

Ok I trust You - I will try to get my case another words.

The problem description:

There are usergroups:
USERGROUP1 { user1, user2, user3 }
USERGROUP2 { user4, user5, user6, user1 }
There is also { user7 } without group.

There are nasgroups:
GROUPNAS1 { device1, device2, device3 }
GROUPNAS2 { device4, device5, device6, device1 }
There is also { device7 } without group.

Shortly:
I need to get permission authorization (getting permission to device 
login) based on usergroups and nas groups.

Ruleset:
The only users got access to GROUPNAS1 devices should be users from 
group USERGROUP1.
The only users got access to GROUPNAS2 devices should be users from 
group USERGROUP2.
For user7 (without group assigned) there should be no access for devices 
from GROUP1 and GROUP2 (user could only log into device7).
For device7 (no nas group assigned) there should be no 
usergroup/devicegroup restrictions.

I think that creating two tables additional tables should be enough for 
storing permissions:
nasgrouprestrictions (id, nasgroupname, nasname) [which nas is in what 
group]
nasgroupchecks (id, groupname, nasgroupname) [which usergroup got access 
to whitch group of devices]

Maybe there is better way to archieve this?

I am very supprised that there are no standard structures in 
postgres/schema.sql for this basic need. Can I use result of one query 
in another check in freeradius or I need to build very long and almost 
unreadable SQL query? What You suggest?

More information about the Freeradius-Users mailing list