rlm_sql - restrict user/hosts groups
Alan DeKok
aland at deployingradius.com
Mon Apr 29 12:50:19 UTC 2024
On Apr 29, 2024, at 6:50 AM, Jarosław Kłopotek - INTERDUO <jkl at interduo.pl> wrote:
> I use freeradius 3.0 and rlm_sql and I would like to create hostgroup/usergroup ACL for login access.
>
> In postgres SQL i created:
>
> SELECT * FROM nasgroup;
> id | nasgroupname | nasname
> ----+--------------+---------------
> 1 | restricted | 172.20.2.42
This is a local configuration change, and isn't part of the default configuration.
> freeradius=# SELECT * FROM radusergroup;
> id | username | groupname | priority
> ----+-------------+-----------+----------
> 4 | user1 | adm | 1
> 5 | user2 | adm | 1
> 6 | user3 | adm | 1
> 1 | user4 | superadm | 1
> 2 | user5 | superadm | 1
> 3 | user6 | superadm | 1
> 7 | user7 | read | 1
>
> So in this example I would like to restrict access for all hosts in group restricted (172.20.2.42) only for users in group superadm (user4, user5, user6).
>
> How to this in proper way?
For the nasgroup, write an SQL query which selects the nasgroupname based on the IP address. For the SQL groups, use the SQL-Group attribute.
Then, put ti all together with "unlang".
if (("%{sql:SELECT nasgroupname from nasgroup WHERE nasname=%{Packet-Src-IP-Address}" == "restricted") && (SQL-Group == "superadm")) {
...
It's best to test these policies in bits and pieces. i.e. create each piece in isolation, and test that it works. Read the debug output. A slow and methodical approach is usually the fastest way to get this done.
Alan DeKok.
More information about the Freeradius-Users
mailing list