Re: Freeradius + MySQL + huntgroups configuration and more questions
Will dialup NAS-IP-Address == 0.0.0.0 allow users which are members of the dialup group login from any NAS ? On Thu, 12 May 2005 20:19:13 -0400 Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Nov 9 2004 at 11:08:43 You should really upgrade to 1.0.2. What I Need to Accomplish: a. Any given user may have access to any combination of dialin, wireless, dsl The server allows this by default, unless you edit the configuration to disallow this. b. Reject access to unknown users, The server does this by default. virus_lockout, billing_lockout and email_only customers, regardless of the NAS they are using. How do you define those customers? c. Accept a known user from a modem server only if the user is part of the dialin group. d. Accept a known user from a wireless access point only if the user is part of the wireless group. e. Accept a known user from DSL only if the user is part of the dsl group. See the FAQ, you can do group checking via Unix groups. See also rlm_passwd in 1.0.2, for non-Unix group checks. However, when I add to 'radgroupcheck': Wireless_defaultHuntgroup-Name := wireless That should be '==' 3. 'radgroupcheck' 'usergroup' provides the 'Group' attribute No. The Group attribute is for checking Unix groups, nothing else. ... Are these the ONLY entries that go into the huntgroups file? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + MySQL + huntgroups configuration and more questions
Sorry for starting a new thread; I had subscribed to digest instead of individual e-mails. You should really upgrade to 1.0.2. Completed. radiusd: FreeRADIUS Version 1.0.2, for host , built on May 13 2005 at 09:43:36 (updated from 0.9.3) Now I get the line I had not been seeing! huntgroups: Matched wireless at 56 PROBLEMS: 1. Reply to a wireless NAS has the 'Dialup_Default' attributes/values (specifically Session-Timeout := 14400) instead of 'Wireless_Default' atttibutes/values (specifically Session-Timeout := 0) for a user who is part of both the Wireless_Default and Dialup_Default groups. 2. Reply to a dialup NAS is Accept for a user who is a member of only the Wireless_Default group. That should be reject. The Wireless_Default attribute/values (specifically Session-Timeout := 0) are returned. How do you define those customers? select * from radgroupcheck; ++---+--++--+ | id | GroupName | Attribute| op | Value| ++---+--++--+ | 15 | DialUp_Default| Simultaneous-Use | := | 1| | 6 | EmailOnly_Default | Auth-Type| := | Reject | | 7 | EmailOnly_Default | Simultaneous-Use | := | 0| | 8 | LockOut_Billing | Auth-Type| := | Reject | | 9 | LockOut_Billing | Simultaneous-Use | := | 0| | 14 | Wireless_Default | Simultaneous-Use | := | 1| | 11 | Virus_Lockout | Auth-Type| := | Reject | | 24 | Wireless_Default | Huntgroup-Name | == | wireless | ++---+--++--+ select * from radgroupreply; ++---++++--+ | id | GroupName | Attribute | op | Value | prio | ++---++++--+ | 16 | DialUp_Default| Session-Timeout| := | 14400 |0 | | 15 | DialUp_Default| Service-Type | := | Framed-User |0 | | 14 | DialUp_Default| Framed-Compression | := | Van-Jacobsen-TCP-IP |0 | | 13 | DialUp_Default| Framed-MTU | := | 1500 |0 | | 12 | DialUp_Default| Framed-IP-Address | := | 255.255.255.254 |0 | | 23 | EmailOnly_Default | Reply-Message | = | Email only accounts may not dial up. |0 | | 11 | DialUp_Default| Framed-Protocol| := | PPP |0 | | 25 | LockOut_Billing | Reply-Message | = | This account has been suspended due to billing issues. |0 | | 27 | Virus_Lockout | Reply-Message | = | Account suspended for virus-spam complaints|0 | | 31 | Wireless_Default | Framed-Protocol| := | PPP |0 | | 32 | Wireless_Default | Framed-IP-Address | := | 255.255.255.254 |0 | | 33 | Wireless_Default | Framed-MTU | := | 1500 |0 | | 34 | Wireless_Default | Framed-Compression | := | Van-Jacobsen-TCP-IP |0 | | 35 | Wireless_Default | Service-Type | := | Framed-User |0 | | 36 | Wireless_Default | Session-Timeout| := | 0 |0 | | 37 | Wireless_Default | Port-Limit | := | 1 |0 | | 17 | DialUp_Default| Idle-Timeout | := | 1200 |0 | | 18 | DialUp_Default| Port-Limit | := | 1 |0 | ++---++++--+ select * from usergroup where UserName='ME'; +--+--+--++ | id | UserName | GroupName| LastMod| +--+--+--++ | 6522 | ME | DialUp_Default | 20050511100844 | | 6523 | ME | Wireless_Default | 20050511100915 | +--+--+--++ See the FAQ, you can do group checking via Unix groups. See also rlm_passwd in 1.0.2, for non-Unix group checks. I am NOT using Linux passwd/shadow/groups for RADIUS purposes -- only administrators have System accounts. 'huntgroups' includes: dialup NAS-IP-Address == 1.2.3.4 wirelessNAS-IP-Address == 1.3.5.7 FROM THE TEST CLIENT: radtest ME
Freeradius + MySQL + huntgroups configuration and more questions
First posting to group, please be gentle. . . Version: radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Nov 9 2004 at 11:08:43 Running on SuSE Linux 2.6.5-7.151-smp Fri Mar 18 11:31:21 UTC 2005 i686 i686 i386 GNU/Linux For several months, our system has been working to allow dialup and reject e-mail only, virus lockouts, and billing lockouts. We want to add RADIUS to our wireless and DSL systems. What I Need to Accomplish: a. Any given user may have access to any combination of dialin, wireless, dsl b. Reject access to unknown users, virus_lockout, billing_lockout and email_only customers, regardless of the NAS they are using. c. Accept a known user from a modem server only if the user is part of the dialin group. d. Accept a known user from a wireless access point only if the user is part of the wireless group. e. Accept a known user from DSL only if the user is part of the dsl group. Our DialUp_Default' group is given these attributes and values: Coming from the 'radgroupreply' table: Session-Timeout := 14400 Service-Type := Framed-User Framed-Compression := Van-Jacobsen-TCP-IP Framed-MTU := 1500 Framed-IP-Address := 255.255.255.254 Coming from the 'radgroupcheck' table: Simultaneous-Use := 1 [Question: Is that even done correctly?] I've been trying to setup 'huntgroups' using this template: dialup NAS-IP-Address == 1.2.3.4 dialup NAS-IP-Address == 1.2.3.5 dialup NAS-IP-Address == 1.2.3.6 wirelessNAS-IP-Address == 1.3.5.7 Are these the ONLY entries that go into the huntgroups file? 'radiusd -X' includes these lines: Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints However, when I add to 'radgroupcheck': Wireless_defaultHuntgroup-Name := wireless radtest for the user responds with 'reject' -- it responds with 'accept' as long as that row is not in 'radgroupcheck'. My Reference Points: I [think] 'radiusd -X' shows me that: 1. preprocess works first, but I can't see that it is including 'huntgroups' 2. 'radcheck' looks like a replacement for 'users', retrieving username and password. The key on this allows only one entry per username. 3. 'radgroupcheck' 'usergroup' provides the 'Group' attribute and value(s) for the user (these return for me, a member of both groups): Wireless_DefaultSimultaneous-Use := 1 DialUp_Default Simultaneous-Use := 1 4. 'radreply' provides specific attributes and values for specific users. Eg. Session-Timeout := 28800 Eg. Framed-IP-Address := 1.2.3.200 5. 'radgroupreply' is basic attributes and values (noted above) I see that radacct is the logging. I'm not sure how radpostauth and userinfo are used, or if they are just tables I inherited since there is nothing new in them. The docs are very nice EXCEPT I'm having trouble figuring out how the MySQL tables fit into the scheme. A nice overview of the /etc/raddb files and the mysql tables and how they relate to each other would be nice to have and might help me self-solve my situation. Thanks for your help, information, and guidance. Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + huntgroups configuration and more questions
[EMAIL PROTECTED] wrote: radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Nov 9 2004 at 11:08:43 You should really upgrade to 1.0.2. What I Need to Accomplish: a. Any given user may have access to any combination of dialin, wireless, dsl The server allows this by default, unless you edit the configuration to disallow this. b. Reject access to unknown users, The server does this by default. virus_lockout, billing_lockout and email_only customers, regardless of the NAS they are using. How do you define those customers? c. Accept a known user from a modem server only if the user is part of the dialin group. d. Accept a known user from a wireless access point only if the user is part of the wireless group. e. Accept a known user from DSL only if the user is part of the dsl group. See the FAQ, you can do group checking via Unix groups. See also rlm_passwd in 1.0.2, for non-Unix group checks. However, when I add to 'radgroupcheck': Wireless_defaultHuntgroup-Name := wireless That should be '==' 3. 'radgroupcheck' 'usergroup' provides the 'Group' attribute No. The Group attribute is for checking Unix groups, nothing else. ... Are these the ONLY entries that go into the huntgroups file? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
