First posting to group, please be gentle. . .
Version:
radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on
Nov 9 2004 at 11:08:43
Running on SuSE Linux 2.6.5-7.151-smp Fri Mar 18 11:31:21 UTC 2005 i686
i686 i386 GNU/Linux
For several months, our system has been working to allow dialup and reject
e-mail only, virus lockouts, and billing lockouts. We want to add RADIUS
to our wireless and DSL systems.
What I Need to Accomplish:
a. Any given user may have access to any combination of dialin, wireless, dsl
b. Reject access to unknown users, virus_lockout, billing_lockout and
email_only customers, regardless of the NAS they are using.
c. Accept a known user from a modem server only if the user is part of the
dialin group.
d. Accept a known user from a wireless access point only if the user is
part of the wireless group.
e. Accept a known user from DSL only if the user is part of the dsl group.
Our "DialUp_Default' group is given these attributes and values:
Coming from the 'radgroupreply' table:
Session-Timeout := 14400
Service-Type := Framed-User
Framed-Compression := Van-Jacobsen-TCP-IP
Framed-MTU := 1500
Framed-IP-Address := 255.255.255.254
Coming from the 'radgroupcheck' table:
Simultaneous-Use := 1
[Question: Is that even done correctly?]
I've been trying to setup 'huntgroups' using this template:
dialup NAS-IP-Address == 1.2.3.4
dialup NAS-IP-Address == 1.2.3.5
dialup NAS-IP-Address == 1.2.3.6
wireless NAS-IP-Address == 1.3.5.7
Are these the ONLY entries that go into the �huntgroups� file?
'radiusd -X' includes these lines:
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
However, when I add to 'radgroupcheck':
Wireless_default Huntgroup-Name := wireless
radtest for the user responds with 'reject' -- it responds with 'accept'
as long as that row is not in 'radgroupcheck'.
My Reference Points:
I [think] 'radiusd -X' shows me that:
1. preprocess works first, but I can't see that it is including 'huntgroups'
2. 'radcheck' looks like a replacement for 'users', retrieving username
and password. The key on this allows only one entry per username.
3. 'radgroupcheck' & 'usergroup' provides the 'Group' attribute and
value(s) for the user (these return for me, a member of both groups):
Wireless_Default Simultaneous-Use := 1
DialUp_Default Simultaneous-Use := 1
4. 'radreply' provides specific attributes and values for specific users.
Eg. Session-Timeout := 28800
Eg. Framed-IP-Address := 1.2.3.200
5. 'radgroupreply' is basic attributes and values (noted above)
I see that radacct is the logging.
I'm not sure how radpostauth and userinfo are used, or if they are just
tables I inherited since there is nothing new in them.
The docs are very nice EXCEPT I'm having trouble figuring out how the
MySQL tables fit into the scheme. A nice overview of the /etc/raddb files
and the mysql tables and how they relate to each other would be nice to
have and might help me self-solve my situation.
Thanks for your help, information, and guidance.
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
