Re: Conditional radreply with Freeradius. Possible somehow ?
Pere Hospital wrote: I have gone again through the SQL wiki. What I am not able to find anywhere (and think that it is what we exactly need) is how to emulate this behaviour of check/reply items that you can get via the users file. i.e. from users file: The SQL schema is intended to mirror the users file. i.e. it can be mapped *directly* from the users file. #swilson Service-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes This becomes (roughly) radcheck: swilson Service-Type == Framed-User swilson Huntgroup-Nmae == alphen radreply: swilson Framed-IP-Address = 192.168.1.65 swilson Fall-Through = Yes This is what I can't see how to do with sql module as radreply is related just to the username. The radreply for the user is referenced *only* if the radcheck entries for that user matched. From SQL Wiki : In radreply, create entries for each user-specific radius reply attribute against their username -- against their username and not username + nas-identifier i.e.). and again If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply -- for this user, so again no info about this user+other requirements ... The check attributes are found text is intended to *be* the other requirements Well, rules are user + NAS based. A user will get a certain IP only if he connects to a certain NAS. And from what you say I assume that configuration files + sql can be used at the same time ?. Yes. All modules are independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Pere Hospital wrote: So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? Yes. We are using SQL module in freeradius. See the Wiki for how the SQL module works. Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. And upgrade to 2.1.9... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Thx for the answer. I have gone again through the SQL wiki. What I am not able to find anywhere (and think that it is what we exactly need) is how to emulate this behaviour of check/reply items that you can get via the users file. i.e. from users file: # user swilson will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting Fall-Through, other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes Here you are checking for two parameters (service-type, huntgroup ... in our case could be cleartext pass and nas-identifier) and then if both checks succeed return the framed ip. This is what I can't see how to do with sql module as radreply is related just to the username. From SQL Wiki : In radreply, create entries for each user-specific radius reply attribute against their username -- against their username and not username + nas-identifier i.e.). and again If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply -- for this user, so again no info about this user+other requirements ... Also: Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. Well, rules are user + NAS based. A user will get a certain IP only if he connects to a certain NAS. And from what you say I assume that configuration files + sql can be used at the same time ?. Sorry to be so lost here :) Pere On Wed, 26 May 2010 09:18:49 +0200 Alan DeKok al...@deployingradius.com wrote: Pere Hospital wrote: So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? Yes. We are using SQL module in freeradius. See the Wiki for how the SQL module works. Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. And upgrade to 2.1.9... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pere Hospital, CISSP®, OSCP® secWays Security First p: +34 933905455 m: +34 649827299 e: p...@secways.com w: www.secways.com PGP keyid: 0x100D35BDA0F669A8 http://keyserver.pgp.com signature.asc Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional radreply with Freeradius. Possible somehow ?
Hi all, Here is the situation. We have a freeradius server that receives autnetication/authorization requests from multiple vpn servers. For just CERTAIN servers we want to return a Framed-IP-Address via radreply. We would control the Framed-IP-Address return value (if any) via Nas-Identifier parameter that we receive from the VPN servers. So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? We are using SQL module in freeradius. Details : Debian 5.0.4 freeradius 2.0.4+dfsg-6 Regards, Pere -- Pere Hospital, CISSP®, OSCP® secWays Security First p: +34 933905455 m: +34 649827299 e: p...@secways.com w: www.secways.com PGP keyid: 0x100D35BDA0F669A8 http://keyserver.pgp.com signature.asc Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html