Restricting access for some devices to some groups

jkl at interduo.pl jkl at interduo.pl
Mon Aug 7 22:13:53 UTC 2023 

>> Ruleset:
>> The only users got access to GROUPNAS1 devices should be users from 
>> group USERGROUP1.
>> The only users got access to GROUPNAS2 devices should be users from 
>> group USERGROUP2.
>> For user7 (without group assigned) there should be no access for 
>> devices from GROUP1 and GROUP2 (user could only log into device7).
>> For device7 (no nas group assigned) there should be no 
>> usergroup/devicegroup restrictions.

>   The RADIUS packets contain detailed information about NAS IP, etc.  
> This is the information you will use to configure the above rules.  If 
> the rules don't contain this detailed information, the rules are too 
> vague to be implemented.

I am login to some device using login+pass+ipaddress.

Login and pass are in radcheck SQL table:
1 | login1 | Cleartext-Password | := | verystrongpass

ipaddress is in table nas
id  |  nasname  |   shortname    | type  | ports |      secret      |
6158 | 127.0.0.1 | freeradius-web-php | other |       | 
verystrongsecret|

>   i.e. what information does it received in RADIUS?  What attributes 
> does it use to query SQL?  What do those SQL queries look like?

Now I use vanillia queries from 
/etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf. Less 
changes are better.

I am testing locally:
$ radtest -x login1 verystrongpass 172.20.100.3:1812 1 verystrongsecret
Sent Access-Request Id 44 from 0.0.0.0:36238 to 172.20.100.3:1812 length 
75
         User-Name = "login1"
         User-Password = "verystrongpass"
         NAS-IP-Address = 127.0.1.1
         NAS-Port = 1
         Message-Authenticator = 0x00
         Cleartext-Password = "verystrongpass"

Got response:
Received Access-Accept Id 185 from 172.20.100.3:1812 to 
172.20.100.3:41317 length 20

It just work.

>   You can use the result of one SQL query in another SQL query.  Just 
> put the intermediate data into an attribute. See raddb/dictionary for 
> documentation on defining local attributes.

I will check that for sure.

> These are still high level.  You need to get into details as I had 
> suggested in my earlier message.

Now...could I add something more?
Its like learning new programming language.

More information about the Freeradius-Users mailing list