Folks, Parts of my radiusd.conf look something like this:
authorize {
preprocess
sql
files
}
authenticate {
pap
}My SQL tables are actually PostgreSQL VIEWs which look into my pre-existing user database to present the information in the format suitable to RADIUS, ie:
id | username | attribute | value | op ----+----------+----------------+------------------------------+---- 2 | tb | Crypt-Password | $1$ql$aI56h/QB5b3.tHJFJ7q7m/ | == 3 | tb | Group-Name | tb | += 5 | tb | Group-Name | sysadmin | +=
I have managed to successfully get my NAS to authenticate the user based on the password in the database. The table format above can be changed to solve my problem if necessary (for example if += is the wrong op to use, or Group-Name is the wrong attribute to use).
I want to match on Group-Name in my raddb/users file (as this is processed after sql as you see above). I want to do something like this:
DEFAULT Group-Name != "sysadmin" Huntgroup-Name == "restricted", \
Auth-Type := Reject
Fall-Through = Noie If a user attempts to log into a NAS in the "restricted" huntgroup (which I have confirmed is being correctly identified) then they must be in the sysadmin group to be permitted to log in.
(Apologies for the wrapping, I know this isn't actually valid syntax. Assume that lines can be broken with backslashes for the purposes of this email).
The problem seems to be that the sql module adds the Group-Name attribute to the list of configuration items, whilst the files module matches against items in the check list.
The question, therefore, is - how can I get the sql module to add items to the check list, in the same way the preprocess module adds the Huntgroup-Name and Client-IP-Address attributes (etc)? Or alternatively, how can I achieve a similar effect in another way? Specifically, how can I disallow users from connecting to NASs in the "restricted" huntgroup if they're not members of the "sysadmin" group?
I believe I have a fairly thorough understanding of how all the bits of FreeRADIUS interact, so I must be missing something fairly small but significant, or simply can't see a solution that's right under my nose. Apologies if this is an FAQ (I have read the flippin documentation as best I could) or a problem whose solution is obvious to those with more experience than me.
Thanks for your help. Tim.
-- Tim Bates [EMAIL PROTECTED]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
