Restricting access for some devices to some groups

Alan DeKok aland at deployingradius.com
Mon Aug 7 21:18:39 UTC 2023 

On Aug 7, 2023, at 3:07 PM, jkl at interduo.pl wrote:
> The problem description:
> 
> There are usergroups:
> USERGROUP1 { user1, user2, user3 }
> USERGROUP2 { user4, user5, user6, user1 }
> There is also { user7 } without group.
> 
> There are nasgroups:
> GROUPNAS1 { device1, device2, device3 }
> GROUPNAS2 { device4, device5, device6, device1 }
> There is also { device7 } without group.

  OK...

> Shortly:
> I need to get permission authorization (getting permission to device login) based on usergroups and nas groups.
> 
> Ruleset:
> The only users got access to GROUPNAS1 devices should be users from group USERGROUP1.
> The only users got access to GROUPNAS2 devices should be users from group USERGROUP2.
> For user7 (without group assigned) there should be no access for devices from GROUP1 and GROUP2 (user could only log into device7).
> For device7 (no nas group assigned) there should be no usergroup/devicegroup restrictions.

  These are still high level.  You need to get into details as I had suggested in my earlier message.

  The RADIUS packets contain detailed information about NAS IP, etc.  This is the information you will use to configure the above rules.  If the rules don't contain this detailed information, the rules are too vague to be implemented.

  i.e. what information does it received in RADIUS?  What attributes does it use to query SQL?  What do those SQL queries look like?

> I think that creating two tables additional tables should be enough for storing permissions:
> nasgrouprestrictions (id, nasgroupname, nasname) [which nas is in what group]
> nasgroupchecks (id, groupname, nasgroupname) [which usergroup got access to whitch group of devices]
> 
> Maybe there is better way to archieve this?
> 
> I am very supprised that there are no standard structures in postgres/schema.sql for this basic need.

  It's not common enough to be needed in the default configuration.

> Can I use result of one query in another check in freeradius or I need to build very long and almost unreadable SQL query? What You suggest?

  You can use the result of one SQL query in another SQL query.  Just put the intermediate data into an attribute.  See raddb/dictionary for documentation on defining local attributes.

  Alan DeKok.

More information about the Freeradius-Users mailing list