I need to have my NetworkGroup get passed one set of attributes and my
ServerGroup get passed another. But I have some EnterpriseAdmins who need
access to both sets so i need to pass the correct attribute back depending
on which device they try to auth from.
User Joe is a EnterpriseAdmin. He is a member of the NetworkGroup and the
ServerGroup so I need him to have the correct attributes passed to him
depending on which NAS-IP-Address he comes from respectivly. For instance,
if joe trys to log in through 192.168.0.50 I need to pass back "Class =
OU=ServerGroup". If joe trys to log in through 192.168.0.1 I need to pass
him "Class = OU=NetworkGroup". The way it stands no matter which
NAS-IP-Address he comes from because he is a member of both groups he gets
both attributes sent back from radgroupreply.
User Sally is a member of the NetworkGroup so I only want radgroupreply to
send just the attributes for the NetworkGroup.
User Bob is a ServerGroup so I only want bob to get the attributes from the
ServerGroup.
mysql> select * from radcheck;
+----+----------+----------------------+----+---------------------------------------+
| id | UserName | Attribute | op | Value
|
+----+----------+----------------------+----+---------------------------------------+
| 8 | joe | Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
| 9 | sally | Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
| 10 | bob | Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
+----+----------+----------------------+----+---------------------------------------+
mysql> select * from usergroup;
+----------+--------------+----------+
| UserName | GroupName | priority |
+----------+--------------+----------+
| joe | NetworkGroup | 1 |
| joe | ServerGroup | 2 |
| sally | NetworkGroup | 1 |
| bob | ServerGroup | 1 |
+----------+--------------+----------+
mysql> select * from radgroupcheck;
+----+--------------+----------------+----+--------------+
| id | GroupName | Attribute | op | Value |
+----+--------------+----------------+----+--------------+
| 9 | ServerGroup | NAS-IP-Address | = | 192.168.0.50 |
| 10 | ServerGroup | Auth-Type | = | MD5 |
| 11 | NetworkGroup | NAS-IP-Address | = | 192.168.0.1 |
| 12 | NetworkGroup | Auth-Type | = | MD5 |
+----+--------------+----------------+----+--------------+
mysql> select * from radgroupreply;
+----+--------------+-----------+----+-----------------+
| id | GroupName | Attribute | op | Value |
+----+--------------+-----------+----+-----------------+
| 17 | NetworkGroup | Class | := | OU=NetworkGroup |
| 18 | ServerGroup | Class | := | OU=serverGroup |
+----+--------------+-----------+----+-----------------+
Steps to reproduce if needed.
insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
'NetworkGroup', 1);
insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
'ServerGroup', 2);
insert into usergroup (UserName, GroupName, priority) VALUES ('sally',
'NetworkGroup', 1);
insert into usergroup (UserName, GroupName, priority) VALUES ('bob',
'ServerGroup', 1);
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('ServerGroup', 'Auth-Type', '=', 'MD5');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('NetworkGroup', 'Auth-Type', '=', 'MD5');
insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup');
insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
('ServerGroup', 'Class', ':=', 'OU=serverGroup');
Thanks for your time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
