Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi,
Any news for this problem?
Br,
Ville
5.8.2013 19:08, vi...@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap]
Problem in freeradius 2.1.10, ldap and huntgroups
Hi, I have installed fr 2.1.10 w openldap and I can authenticate users against ldap. I have also added groups in ldap and allowed ldap module to search groups and it also works fine. Now the problem is that is huntgroups wont work. I need to restrict access to NAS for specific groups. I can see that groups match rlm_ldap::ldap_groupcmp: User found in group , huntgroup match wont work. file huntgroups: NAS-IP-Address == 172.150.0.1 file users: DEFAULT Ldap-Group == Huntgroup-Name == I am very glad for any help and if someone have better solution for this i'm happy to hear it. There is about 600 NAS (sw's and routers) for different customers and we need to provide mgmt access to customers and our NOC staff, so i think we need to use huntgroups w groups and if someone have example for this one I'm very glad for that also. Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Thank you for your reply. It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. Br, Ville Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here comes: rlm_ldap::ldap_groupcmp: User found in group and user still access in. I noticed that if i disable ldap and put user in users file like this: vi...@.fi Cleartext-Password := , Huntgroup-Name == it works and i can filter users based on huntgroup. Br, Ville Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Here comes: rlm_ldap::ldap_groupcmp: User found in group radiusd -X its what the docs say. for a reason alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns
Re: something like huntgroups?
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
noop
}
else {
reject
}
}
...
}
See man unlang for more info.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
noop
}
else {
reject
}
}
...
}
Actually no. Undefined attributes should not be modified or evaluated. You'll
need to find the proper definition for the attribute and add a new dictionary
entry.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 07:41, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
noop
}
else {
reject
}
}
...
}
Actually no. Undefined attributes should not be modified or evaluated. You'll
need to find the proper definition for the attribute and add a new dictionary
entry.
This may work for 2.x.x but definitely wont't work for 3.0 which uses direct
DICT_ATTR pointer comparisons in some places (instead of comparing
vendor/attribute number).
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
Hi I'll see if I can send through some dictionary file entries later today Alan This smartphone uses eduroam which gives me free WiFi around the world. Now thats what I call smart! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote: This may work for 2.x.x but definitely wont't work for 3.0 which uses direct DICT_ATTR pointer comparisons in some places (instead of comparing vendor/attribute number). So... what *can* you do with Vendor-X-Attr-Y? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk wrote: On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote: This may work for 2.x.x but definitely wont't work for 3.0 which uses direct DICT_ATTR pointer comparisons in some places (instead of comparing vendor/attribute number). So... what *can* you do with Vendor-X-Attr-Y? Use it to figure out which dictionary entries you're missing. We can't modify the dictionaries dynamically after startup without locking the tree (on every read/write), else we could of added unknown attributes as octet type attributes. The compromise is to dynamically allocate fake DICT_ATTR entries for attributes which couldn't be resolved in the dictionaries, or that have values which don't match their data type (64bit value in integer type for example). As these DICT_ATTRs are dynamically allocated and unique to each request, comparing the pointers doesn't result in a match. A better solution, seeing as we now pre-parse all conditions and xlat expansions, might be to add unknown attributes at parse time. The server didn't do this when we first started using DICT_ATTR pointers in VALUE_PAIRs. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
So you can't compare them; can you set them:
update reply {
Vendor-X-Attr-Y = 0xff
}
?
Can you xlat them?
update request {
Tmp-String-0 = %{Vendor-X-Attr-Y}
}
?
Or are they basically display-only i.e. debug output and detail file?
We can't modify the dictionaries dynamically after startup without
locking the tree (on every read/write), else we could of added
unknown attributes as octet type attributes.
The compromise is to dynamically allocate fake DICT_ATTR entries for
attributes which couldn't be resolved in the dictionaries, or that
have values which don't match their data type (64bit value in integer
type for example).
As these DICT_ATTRs are dynamically allocated and unique to each
request, comparing the pointers doesn't result in a match.
Ah.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
Hi, We have a generic VPN profile that we'd like to allow *all* users to login to - this works well. When users login to the secret profile, then the following VPN attribute is included in the request: Vendor-3076-Attr-146 = 0x554d44 use/load the dictionary.cisoc.vpn3000 dictionary file (its what ASA have inherited) the 146 attribute isnt present currently so just add it to the file after the Member-Of entry eg eg ATTRIBUTE CPVN3000-Member-Of 145 string ATTRIBUTE CPVN3000-Tunnel-Group-Name 146 string theres a tonne of other attributes missing from that dictionaryhavent got time to send through the change right now. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
It appears Alan has already done what I just suggested below.
update reply {
Vendor-1-Attr-2 := 0x01
}
if (reply:Vendor-1-Attr-2) {
ok
}
(0) update reply {
(0) Vendor-1-Attr-2 := 0x01
(0) } # update reply = notfound
(0) ? if (reply:Vendor-1-Attr-2)
(0) ? if (reply:Vendor-1-Attr-2) - TRUE
(0)if (reply:Vendor-1-Attr-2) {
(0) - entering if (reply:Vendor-1-Attr-2) {...}
(0)[ok] = ok
(0) - if (reply:Vendor-1-Attr-2) returns ok
Sending Access-Reject of id 208 from 0.0.0.0 port 1812 to 127.0.0.1 port 54941
Attr-26.1.2 = 0x01
Waking up in 4.9 seconds.
Radclient gets confused though...
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=208, length=29
Attr-26 = 0x0001020301
So you may in fact now be able to use them in conditions, and be able to ignore
everything I previously said.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 12:15, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
It appears Alan has already done what I just suggested below.
update reply {
Vendor-1-Attr-2 := 0x01
}
if (reply:Vendor-1-Attr-2) {
ok
}
(0) update reply {
(0) Vendor-1-Attr-2 := 0x01
(0) } # update reply = notfound
(0) ? if (reply:Vendor-1-Attr-2)
(0) ? if (reply:Vendor-1-Attr-2) - TRUE
(0)if (reply:Vendor-1-Attr-2) {
(0) - entering if (reply:Vendor-1-Attr-2) {...}
(0)[ok] = ok
(0) - if (reply:Vendor-1-Attr-2) returns ok
Or the condition stuff is still message up...
Taking out the update statement I still get:
(0) ? if (reply:Vendor-1-Attr-2)
(0) ? if (reply:Vendor-1-Attr-2) - TRUE
(0)if (reply:Vendor-1-Attr-2) {
(0) - entering if (reply:Vendor-1-Attr-2) {...}
(0)[ok] = ok
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
On 2 Jul 2013, at 12:19, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 12:15, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
It appears Alan has already done what I just suggested below.
update reply {
Vendor-1-Attr-2 := 0x01
}
if (reply:Vendor-1-Attr-2) {
ok
}
(0) update reply {
(0) Vendor-1-Attr-2 := 0x01
(0) } # update reply = notfound
(0) ? if (reply:Vendor-1-Attr-2)
(0) ? if (reply:Vendor-1-Attr-2) - TRUE
(0)if (reply:Vendor-1-Attr-2) {
(0) - entering if (reply:Vendor-1-Attr-2) {...}
(0)[ok] = ok
(0) - if (reply:Vendor-1-Attr-2) returns ok
Or the condition stuff is still message up...
*messed
Taking out the update statement I still get:
(0) ? if (reply:Vendor-1-Attr-2)
(0) ? if (reply:Vendor-1-Attr-2) - TRUE
(0)if (reply:Vendor-1-Attr-2) {
(0) - entering if (reply:Vendor-1-Attr-2) {...}
(0)[ok] = ok
Ok, just broken for unknown attributes:
(0) update reply {
(0) ? if (reply:User-Name)
(0) ? if (reply:User-Name) - FALSE
(0)policy filter_username {
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
something like huntgroups?
Greetings! Our Cisco VPN concentrator is sending some RADIUS attributes in the request packet and if certain values appear, then I'd like to only allow a subset of users to login. I've looked at: http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b the SQL Huntgroup howto and it seemed close, but the scenario that I am looking at is slightly different and I am getting mixed up. I am hoping for some help. Here is my scenario: We have a generic VPN profile that we'd like to allow *all* users to login to - this works well. When users login to the secret profile, then the following VPN attribute is included in the request: Vendor-3076-Attr-146 = 0x554d44 The attribute and value are known and constant, thus I can make decisions on them. Users who are in the secret group should be able to login to *both* the generic profile (which does not have the Vendor-3076-Attr-146 = 0x554d44 pair) and the secret profile, which does have the pair. If a user is not in the secret group, then their login should fail if the Vendor-3076-Attr-146 = 0x554d44 pair is in the request. Thanks for any advice or design input! Cheers, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno gio, 06/06/2013 alle 09.21 +0200, Marco Marzetti ha scritto: Il giorno mer, 05/06/2013 alle 13.41 -0400, Alan DeKok ha scritto: Marco Marzetti wrote: Also, if i understand it correctly, it makes sense to me since == is a filtering operator while := add the attribute to the list for further checking Anyway, i've updated the record above and putting := and it doesn't work. It depends what you want to do. I thought you had said you wanted to *set* the huntgroups in SQL. If so, := is the correct thing to use. If you're just checking it, == is the right one. Yes. I'm checking for a match between the NAS-IP-Address and the specified username. So, if user foo sends an authentication request through NAS 192.0.2.1, FreeRADIUS should check if that NAS-IP-Address address matches with the ones associated to the Huntgroup named APPARATI. The huntgroups are set in the huntgroups file. Have you looked there? As said, the filter works if the user's Huntgroup-Name is set in the radcheck table and it doesn't if it is set in the radgroupcheck one. Alan DeKok. Thank You Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I eventually found this in rlm_sql: 5. For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. So there MUST be a match in radgroupcheck to make the user be a part of the group. Then you can't make an Huntgroup-Name check on a per group basis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno mer, 05/06/2013 alle 13.41 -0400, Alan DeKok ha scritto: Marco Marzetti wrote: Also, if i understand it correctly, it makes sense to me since == is a filtering operator while := add the attribute to the list for further checking Anyway, i've updated the record above and putting := and it doesn't work. It depends what you want to do. I thought you had said you wanted to *set* the huntgroups in SQL. If so, := is the correct thing to use. If you're just checking it, == is the right one. Yes. I'm checking for a match between the NAS-IP-Address and the specified username. So, if user foo sends an authentication request through NAS 192.0.2.1, FreeRADIUS should check if that NAS-IP-Address address matches with the ones associated to the Huntgroup named APPARATI. The huntgroups are set in the huntgroups file. Have you looked there? As said, the filter works if the user's Huntgroup-Name is set in the radcheck table and it doesn't if it is set in the radgroupcheck one. Alan DeKok. Thank You Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Marco Marzetti wrote: mysql SELECT * FROM radgroupcheck; ++---+++--+ | id | groupname | attribute | op | value| ++---+++--+ | 1 | TECNICI | Huntgroup-Name | == | APPARATI | ++---+++--+ Read doc/rlm_sql. Or man unlang. The operators are the same. You want :=, not ==. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Il giorno mer, 05/06/2013 alle 09.14 -0400, Alan DeKok ha scritto: Marco Marzetti wrote: mysql SELECT * FROM radgroupcheck; ++---+++--+ | id | groupname | attribute | op | value| ++---+++--+ | 1 | TECNICI | Huntgroup-Name | == | APPARATI | ++---+++--+ Read doc/rlm_sql. Or man unlang. The operators are the same. You want :=, not ==. Alan DeKok. Hello, Sorry, what do you mean with The operators are the same ? I put == because /etc/freeradius/users use that one root@tango:~# grep Huntgroup-Name /etc/freeradius/users #swilsonService-Type == Framed-User, Huntgroup-Name == alphen #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft And because == works in radcheck while := doesn't. Also, if i understand it correctly, it makes sense to me since == is a filtering operator while := add the attribute to the list for further checking Anyway, i've updated the record above and putting := and it doesn't work. Is there anything else wrong? Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups checking in MySQL radgroupcheck
Marco Marzetti wrote: Also, if i understand it correctly, it makes sense to me since == is a filtering operator while := add the attribute to the list for further checking Anyway, i've updated the record above and putting := and it doesn't work. It depends what you want to do. I thought you had said you wanted to *set* the huntgroups in SQL. If so, := is the correct thing to use. If you're just checking it, == is the right one. The huntgroups are set in the huntgroups file. Have you looked there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
On Tue, Apr 30, 2013 at 3:09 PM, gregoire.le...@retenodus.net wrote: Hello, It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group. I don't understand. The wiki and you seem to explain how to add the same configuration to the reply for all the users from a NAS. Indeed, with your example, all the users from site_a would have the same attributes from site_a_admins group. I want to add something which is user-dependent (like, for example, but not only, his IP address). To do that, with your example, I would be forced to create one group per user, and I really don't like that (it seems ugly). Wow. So per user, AND per NAS? AFAIK it would pretty much be as ugly in SQL as it would be in users file. And you also need to modify the SELECT query to include User-Name instead of just NAS-IP-Address. Yes, you'd need to create one group per user-NAS combination, but you'd also need a spearate entry in users file for the same thing if you use files instead of sql. So IMHO it's roughly the same. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello, It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group. I don't understand. The wiki and you seem to explain how to add the same configuration to the reply for all the users from a NAS. Indeed, with your example, all the users from site_a would have the same attributes from site_a_admins group. I want to add something which is user-dependent (like, for example, but not only, his IP address). To do that, with your example, I would be forced to create one group per user, and I really don't like that (it seems ugly). Thank you, Regards, Grégoire Leroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
For the step 4, I have to :
1) Retrieve the huntgroup
2) Compare it with what the user sends
3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to
maintain a radipusers table for my IP/users and do something like :
1)
update request {
Huntgroup-Name := %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}
}
2)
if Huntgroup-Name == 'one_huntgroup_name' {
3)
Framed-IP-Address = %{sql:SELECT ip FROM radipusers WHERE
user='%{username}'}
}
Is there something wrong in what I just said ?
I'm really not sure.
All I can say is try it, and see if it works.
I tried it and it worked.
However, it worked only because the specific statement was :
Framed-IP-Address = IP.ADD.RE.SS
(Remind : the wanted behaviour is
I want the following behaviour :
1) Set the password for the user
2) Authentication of the user
3) X is always added to the reply if the user is authenticated
4) Moreover, Y is added to the reply for NAS, still if the user is
authenticated.)
What I would like instead of my dumb radipusers table (id | username |
ip), is a table which looks like radreply (id | username | attribute |
op | value) I could use with unlang.
The thing I want to be added by radius in the reply :
if (Huntgroup-Name == 'one_huntgroup_name') {
Attribute1 op1 value1
Attribute2 op2 value2
...
Attributei opi valuei
}
Given that Attribute,op,value 1...i are in the MySQL table.
Is it possible to get that by unlang / SQL ? I've read the unlang
manpage, and I don't see any information which would enable me to do
that.
I've tried something without so much hope, and without success :
%{sql:SELECT attribute from radreply where
username='%{request:User-Name}'} = %{sql:SELECT value from radreply
where username='%{User-Name}'}
Thank you for your help,
Regards,
Grégoire Leroy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi,
The thing I want to be added by radius in the reply :
if (Huntgroup-Name == 'one_huntgroup_name') {
Attribute1 op1 value1
Attribute2 op2 value2
...
Attributei opi valuei
}
Given that Attribute,op,value 1...i are in the MySQL table.
if (Huntgroup-Name == 'one_huntgroup_name') {
update reply {
attribute1 := %{sql:SELECT blah blah}
attribute2 := %{sql:SELECT blah blah}
attribute3 := %{sql:SELECT blah blah}
attribute4 := %{sql:SELECT blah blah}
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello,
if (Huntgroup-Name == 'one_huntgroup_name') {
update reply {
attribute1 := %{sql:SELECT blah blah}
attribute2 := %{sql:SELECT blah blah}
attribute3 := %{sql:SELECT blah blah}
attribute4 := %{sql:SELECT blah blah}
}
}
The thing is, I don't know how many attributes I have. It could be 1,
4, 10 and not always the same. That's why I want to retrieve from the
database the value, the op and the attribute.
Thanks,
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi, The thing is, I don't know how many attributes I have. It could be 1, 4, 10 and not always the same. That's why I want to retrieve from the database the value, the op and the attribute. just use authorize_group_reply_query and the groupreply_table = radgroupreply part of sql.conf ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi, Le Monday 29 April 2013 20:30:15, a.l.m.bu...@lboro.ac.uk a écrit : Hi, The thing is, I don't know how many attributes I have. It could be 1, 4, 10 and not always the same. That's why I want to retrieve from the database the value, the op and the attribute. just use authorize_group_reply_query and the groupreply_table = radgroupreply part of sql.conf ? Maybe I was not clear enough above. What I want is : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated I use radreply for X, the issue here is step 4. The how-to on the wiki about huntgroups and SQL recommends to use unlang in the authorize section. So, I update the request to assign the Huntgroup- Name attribute, and use unlang to add the Y configuration (user dependent) if the huntgroupname is one_huntgroup_name. That's why I maintain a seperate table, for Y configuration, and I would like to be able to dynamically update my request with the attributes,op,values of the user. Is it possible ? If not, I could just put my X+Y configuration in radreply and using unlang, delete Y if the request is not from the right NAS. But I don't like add something to delete it after, if possible. Thank you for your help, Regards, Grégoire Leroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
On Tue, Apr 30, 2013 at 4:31 AM, Grégoire Leroy gregoire.le...@retenodus.net wrote: Maybe I was not clear enough above. What I want is : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated I use radreply for X, the issue here is step 4. The how-to on the wiki about huntgroups and SQL recommends to use unlang in the authorize section. So, I update the request to assign the Huntgroup- Name attribute, and use unlang to add the Y configuration (user dependent) if the huntgroupname is one_huntgroup_name. That's not what the wiki said. Well, you can do that, but it doesn't say that you can ONLY do that. You can do other stuff as well. http://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO#More-examples It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group. That's why I maintain a seperate table, for Y configuration, and I would like to be able to dynamically update my request with the attributes,op,values of the user. Is it possible ? Read the wiki. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Now, documentation seems to say I have to add something in my
authorize{} section, but the only mention of authorize in my current
configuration is :
authorize {
ok
# respond to the Status-Server request.
Autz-Type Status-Server {
ok
}
}
Did I miss something ? Am I more clear ?
Uh... someone *destroyed* your configuration. That's not right.
Are you sure you're using the users file? The files module
isn't
listed above... so it looks like you're not using it.
My fault : I've open status instead of default. For the step 4, I have
to :
1) Retrieve the huntgroup
2) Compare it with what the user sends
3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to
maintain a radipusers table for my IP/users and do something like :
1)
update request {
Huntgroup-Name := %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}
}
2)
if Huntgroup-Name == 'one_huntgroup_name' {
3)
Framed-IP-Address = %{sql:SELECT ip FROM radipusers WHERE
user='%{username}'}
}
Is there something wrong in what I just said ?
Thanks you,
Regards,
Grégoire Leroy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
gregoire.le...@retenodus.net wrote:
My fault : I've open status instead of default.
I have no idea what that means.
All of my help is presuming that you're starting off with the default
configuration. If you've butchered it, you're on your own.
For the step 4, I have to :
1) Retrieve the huntgroup
2) Compare it with what the user sends
3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to
maintain a radipusers table for my IP/users and do something like :
1)
update request {
Huntgroup-Name := %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}
}
2)
if Huntgroup-Name == 'one_huntgroup_name' {
3)
Framed-IP-Address = %{sql:SELECT ip FROM radipusers WHERE
user='%{username}'}
}
Is there something wrong in what I just said ?
I'm really not sure.
All I can say is try it, and see if it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello,
So... what do you want to do? You've been very clear that you want
help with a particular *solution*. Because your assumptions are
wrong,
your solution is wrong. So I can't really help you with that.
What do you have, and hat do you want?
- you want the user to be authenticated
- you want reply X for NAS X, and reply Y for NAS not X?
- ???
Write it out in plain english. It should then be easy to figure
out
how to map it to the server configuration.
I want the following behaviour :
1) Set the password for the user
2) Authentication of the user
3) X is always added to the reply if the user is authenticated
4) Moreover, Y is added to the reply for NAS, still if the user is
authenticated.
In my current configuration, with users files it works well.
Now, if I understand correctly, authentication is not handled by the
users/SQL module, so the only steps concerned here are 1,3 and 4.
For 1, it seems obvious :
radcheck :
example@domain | Cleartext-Password | password | =:
For 3, I juste have to add each attributes in radreply, no problem
here.
For 4, it's more complicated...
First, radhuntgroup :
1 | one_huntgroup_name| IP_NAS | NULL |
Now, documentation seems to say I have to add something in my
authorize{} section, but the only mention of authorize in my current
configuration is :
authorize {
ok
# respond to the Status-Server request.
Autz-Type Status-Server {
ok
}
}
Did I miss something ? Am I more clear ?
Thanks for your help,
Regards,
Grégoire
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
gregoire.le...@retenodus.net wrote:
I want the following behaviour :
1) Set the password for the user
2) Authentication of the user
3) X is always added to the reply if the user is authenticated
4) Moreover, Y is added to the reply for NAS, still if the user is
authenticated.
That's pretty straightforward.
Now, if I understand correctly, authentication is not handled by the
users/SQL module, so the only steps concerned here are 1,3 and 4.
Yes.
Now, documentation seems to say I have to add something in my
authorize{} section, but the only mention of authorize in my current
configuration is :
authorize {
ok
# respond to the Status-Server request.
Autz-Type Status-Server {
ok
}
}
Did I miss something ? Am I more clear ?
Uh... someone *destroyed* your configuration. That's not right.
Are you sure you're using the users file? The files module isn't
listed above... so it looks like you're not using it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello, Le 2013-04-22 15:33, Alan DeKok a écrit : gregoire.le...@retenodus.net wrote: First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the one_huntgroup_name (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ? Yes. I said the rlm_sql documentation says that it mirrors the functionality of the users file. Read the documentation. I have actually read the documentation, and the wiki about SQL. Really. Otherwise, I wouldn't have sent the first email. I'm going to be more specific about what I don't understand. In my user files, I have two lines to check. First, example@domainCleartext-Password := password, which gives a reply if the user is authenticated. Secondly, example@domain Cleartext-Password := password, Huntgroup-Name == one_huntgroup_name, which adds something in the reply if the user is authenticated AND from the right NAS. A litteral translation in database would be what I said before : In radcheck : example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: But you told me (and I totally understand that) that wouldn't work. In the user files, it's simple : I can have a line with two things to check, and just put the reply under the check line. In database, I don't really have this order. It's really a mapping matter. Finally, in the users file, I do : IF condition1 ADD that IF condition1 AND condition2 ADD that It's the double condition1 which gives me problem to translate it. I hope my problem is more clear. If you want, when the project will be done, I'll add a page on the wiki so that you don't have to answer that again. Thank you for your help, Regards, Grégoire Leroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
gregoire.le...@retenodus.net wrote: I have actually read the documentation, and the wiki about SQL. Really. Otherwise, I wouldn't have sent the first email. I'm going to be more specific about what I don't understand. OK. That's good. In my user files, I have two lines to check. First, example@domainCleartext-Password := password, which gives a reply if the user is authenticated. Not exactly... it *sets* the Cleartext-Password for the user. Authentication happens later. Secondly, example@domain Cleartext-Password := password, Huntgroup-Name == one_huntgroup_name, which adds something in the reply if the user is authenticated AND from the right NAS. No. See man users. The := operator *sets* the Cleartext-Password. It doesn't *check* it. In the user files, it's simple : I can have a line with two things to check, and just put the reply under the check line. In database, I don't really have this order. It's really a mapping matter. That's really the only difference between the two. Everything else maps directly. Finally, in the users file, I do : IF condition1 ADD that IF condition1 AND condition2 ADD that It's the double condition1 which gives me problem to translate it. The users file entries don't do what you think. That's at least part of the problem. So... what do you want to do? You've been very clear that you want help with a particular *solution*. Because your assumptions are wrong, your solution is wrong. So I can't really help you with that. What do you have, and hat do you want? - you want the user to be authenticated - you want reply X for NAS X, and reply Y for NAS not X? - ??? Write it out in plain english. It should then be easy to figure out how to map it to the server configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello, Le 2013-04-20 15:23, Alan DeKok a écrit : gregoire.le...@retenodus.net wrote: Hello, I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups. An example of what I have in my flat file : 21 example@domain⋅⋅Cleartext-Password := password 22 ⋅Service-Type = Framed-User, Well, no. There's no need to add line numbers. There's no need to replace tabs with You're confusing the issue. Just copy text from the users file (which is it's name) to the email message. Email can do text. That's exactly what I did, it's how my editor shows it. I thought it would be more readable. I won't do it next time, thanks. In SQL, I'm going to create a group example_users, with all the common data (line 22 to 30), an user example@domain who belongs to example_users. I'm going to create an entry in radhuntgroup, with my one_huntgroup_name and the IP of my NAS. Then try that out in the users file. The rlm_sql documentation says that it mirrors the functionality of the users file. So... don't change two things at once. Create the config you want in the users file as one step. As the next step, move it to SQL. Pretty much verbatim. I don't understand : I already have huntgroups in my flat file. I didn't show the radhuntgroup file, but I thought that the fact I mention it in the users file would be sufficient. Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: ) Well, the first and second one are identical. So they're duplicates, and you only need one. But the second one checks for something different, so it's different. I am very sorry, but I don't understand your point. Maybe you meant the first and the third one are identical ? If so, yes I know. Maybe my question was unclear. First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the one_huntgroup_name (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ? Thanks for your help, Regards, Gregoire Leroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
gregoire.le...@retenodus.net wrote: First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the one_huntgroup_name (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ? Yes. I said the rlm_sql documentation says that it mirrors the functionality of the users file. Read the documentation. To a very large extent, you can just take the users file entries, and map them directly to the SQL tables. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
gregoire.le...@retenodus.net wrote: Hello, I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups. An example of what I have in my flat file : 21 example@domain⋅⋅Cleartext-Password := password 22 ⋅Service-Type = Framed-User, Well, no. There's no need to add line numbers. There's no need to replace tabs with You're confusing the issue. Just copy text from the users file (which is it's name) to the email message. Email can do text. In SQL, I'm going to create a group example_users, with all the common data (line 22 to 30), an user example@domain who belongs to example_users. I'm going to create an entry in radhuntgroup, with my one_huntgroup_name and the IP of my NAS. Then try that out in the users file. The rlm_sql documentation says that it mirrors the functionality of the users file. So... don't change two things at once. Create the config you want in the users file as one step. As the next step, move it to SQL. Pretty much verbatim. Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: ) Well, the first and second one are identical. So they're duplicates, and you only need one. But the second one checks for something different, so it's different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and Huntgroups
Hello, I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups. An example of what I have in my flat file : 21 example@domain⋅⋅Cleartext-Password := password 22 ⋅Service-Type = Framed-User, 23 ⋅Framed-Protocol = PPP, 24 ⋅Tunnel-Type = L2TP, 25 ⋅Tunnel-Medium-Type = IP, 26 ⋅Tunnel-Assignment-ID = RAN.DOM.I.P, 27 ⋅Tunnel-Server-Endpoint = RAN.DOM.I.P, 28 ⋅Tunnel-Client-Auth-ID = auth_id, 29 ⋅Tunnel-Password = password_tunnel, 30 ⋅Fall-Through = Yes 31 32 example@domain⋅⋅Cleartext-Password := password, Huntgroup-Name == one_huntgroup_name 33 ⋅Framed-IP-Address = STAT.IC.I.P So, if the request doesn't have the huntgroup set, only the first part is applied. Else, both are applied. In SQL, I'm going to create a group example_users, with all the common data (line 22 to 30), an user example@domain who belongs to example_users. I'm going to create an entry in radhuntgroup, with my one_huntgroup_name and the IP of my NAS. Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: ) Does someone know a solution to this problem ? Thank you, Regards, Grégoire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure Huntgroups
Any one kindly reply. Regards, Arshad Ahmed Network Engineer From: arshadkha...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: Configure Huntgroups Date: Tue, 27 Nov 2012 10:01:19 +0500 Hi, I have configure multiple hunt groups for different purposes like VPN (VPN Server IP), Netflow Services (Netflow Server IP) and hence define their respective group in Window Active directory platform. Now, i need to provide time base VPN access to some users so i made a group in active directory and configure its respective file ntlm_auth4 so now onwards one huntgroup and two ntlm_auth group, one for normal vpn access and one for timebase. But this configuration is not working and every time its going to check in ntlm_auth2 condition. Kindly advice. DEFAULT Auth-Type := ntlm_auth4,Huntgroup-Name == vpn, Login-Time := Sa-Su0800-1300 Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth3,Huntgroup-Name == netflow Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Fall-Through = Yes DEFAULT Auth-Type = ntlm_auth Regards, Arshad Ahmed Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure Huntgroups
Hi, I have configure multiple hunt groups for different purposes like VPN (VPN Server IP), Netflow Services (Netflow Server IP) and hence define their respective group in Window Active directory platform. Now, i need to provide time base VPN access to some users so i made a group in active directory and configure its respective file ntlm_auth4 so now onwards one huntgroup and two ntlm_auth group, one for normal vpn access and one for timebase. But this configuration is not working and every time its going to check in ntlm_auth2 condition. Kindly advice. DEFAULT Auth-Type := ntlm_auth4,Huntgroup-Name == vpn, Login-Time := Sa-Su0800-1300 Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth3,Huntgroup-Name == netflow Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Fall-Through = Yes DEFAULT Auth-Type = ntlm_auth Regards, Arshad Ahmed Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with mac auth and huntgroups
Hi
i m using freeradius 2.1.10
i have setup mac auth based authentication like it s written here
http://wiki.freeradius.org/Mac-Auth
it works quite well
my problems is now i want to combine that with huntgroups
i have put in my /etc/raddb/huntgroups
the following line
radfiltuxmacs NAS-IP-Address == 157.159.7.108, NAS-Port-Id == 19-21
and i have modified the authorized_macs this way
00188bd041e4Huntgroup-Name == radfiltuxmacs
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := 15,
Fall-Through = no
with the Huntgroup-Name it doesn't works
here is the log
Wed Mar 16 16:19:55 2011 : Debug: [thread] Received Access-Request
packet from host 157.159.7.108 port 1025, id=38, leng
th=197
Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-MTU = 1466
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-IP-Address = 157.159.7.108
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Identifier = radfilsw
Wed Mar 16 16:19:55 2011 : Debug: [thread] User-Name = 00188bd041e4
Wed Mar 16 16:19:55 2011 : Debug: [thread] Service-Type = Framed-User
Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-Protocol = PPP
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port = 20
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Type = Ethernet
Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Id = 20
Wed Mar 16 16:19:55 2011 : Debug: [thread] Called-Station-Id =
00-23-47-33-7e-ec
Wed Mar 16 16:19:55 2011 : Debug: [thread] Calling-Station-Id =
00-18-8b-d0-41-e4
Wed Mar 16 16:19:55 2011 : Debug: [thread] Connect-Info = CONNECT
Ethernet 100Mbps Full duplex
Wed Mar 16 16:19:55 2011 : Debug: [thread] CHAP-Password =
0x14d8e8e4d846868af6005c652fa9294207
Wed Mar 16 16:19:55 2011 : Debug: [thread] Message-Authenticator =
0x3f7d3084a4e8c0e1507b1b196132d645
Wed Mar 16 16:19:55 2011 : Debug: [thread] # Executing section
authorize from file /etc/raddb/sites-enabled/default
Wed Mar 16 16:19:55 2011 : Debug: [thread] +- entering group authorize
{...}
Wed Mar 16 16:19:55 2011 : Debug: ++[preprocess] returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++- entering policy
rewrite_calling_station_id {...}
Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating
(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-
f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: +++- entering if
(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...}
Wed Mar 16 16:19:55 2011 : Debug: expand: %{1}%{2}%{3}%{4}%{5}%{6} -
00188bd041e4
Wed Mar 16 16:19:55 2011 : Debug: [request] returns ok
Wed Mar 16 16:19:55 2011 : Debug: +++- if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}
)[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok
Wed Mar 16 16:19:55 2011 : Debug: +++ ... skipping else for request 0:
Preceding if was taken
Wed Mar 16 16:19:55 2011 : Debug: ++- policy rewrite_calling_station_id
returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~
/^%{Calling-Station-ID}$/i)
Wed Mar 16 16:19:55 2011 : Debug: expand: ^%{Calling-Station-ID}$ -
^00188bd041e4$
Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating (User-Name =~
/^%{Calling-Station-ID}$/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~
/^%{Calling-Station-ID}$/i) - TRUE
Wed Mar 16 16:19:55 2011 : Debug: ++- entering if (User-Name =~
/^%{Calling-Station-ID}$/i) {...}
Wed Mar 16 16:19:55 2011 : Debug: +++[control] returns ok
Wed Mar 16 16:19:55 2011 : Debug: ++- if (User-Name =~
/^%{Calling-Station-ID}$/i) returns ok
Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/157.159.7.108/auth-detail-20110316
Wed Mar 16 16:19:55 2011 : Debug: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /v
ar/log/radius/radacct/157.159.7.108/auth-detail-20110316
Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand: %t - Wed Mar 16
16:19:55 2011
Wed Mar 16 16:19:55 2011 : Debug: ++[auth_log] returns ok
Wed Mar 16 16:19:55 2011 : Debug: [chap] WARNING: Auth-Type already set.
Not setting to CHAP
Wed Mar 16 16:19:55 2011 : Debug: ++[chap] returns noop
Wed Mar 16 16:19:55 2011 : Debug: ++[mschap] returns noop
Wed Mar 16 16:19:55 2011 : Debug: [suffix] No '@' in User-Name =
00188bd041e4, looking up realm NULL
Wed Mar 16 16:19:55 2011 : Debug: [suffix] Found realm NULL
Wed
Re: deny access with huntgroups
hello, I read your talks and I have the same problem, what you said help me, but I can't find the right request to make in /etc/raddb/sites-enabled/default in the section authorize just under preprocess, can you send to me the request you have made. I will be so thanksfull. -- View this message in context: http://freeradius.1045715.n5.nabble.com/deny-access-with-huntgroups-tp2780330p3364120.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas-identifier regex based huntgroups
Hi guys, there are some posts about subj. refering to search mailing list archive. I did that, but not sure what is the best solution for 2.1.10 to solve this case. And of course, I would like to use regex for nas-identifier value. Thanks for your opinions. Regards, Z. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Huntgroups question.
Ok,I 'll try to crarify the question. Does anybody know why in hungroups this match works: XXX NAS-IP-Address == X.Y.Z.W or XXX NAS-IP-Address == X.Y.Z.W, NAS-Port-Id == 1:33 But not this one: XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033, NAS-Port=1038 Thanks. PD: Merry Christmas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups question.
Hi, I have a freeradius-server-2.1.1-1.27. My question it's about hungroups. The huntgroup file has: XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033, NAS-Port=1038 #XXX NAS-IP-Address == X.Y.Z.W In users: DEFAULT Huntgroup-Name == XXX, ZZZ-Ldap-Group == mac, Auth-Type == ZZZ( ZZZ it's an ldap backend) # Extreme-Netlogin-Vlan = ZZZ, Termination-Action = 1, Fall-Through = no # If I set in XXX NAS-IP-Address == X.Y.Z.W in huntgroups, and I comment XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033, NAS-Port=1038 then it does mac loggin without problems, but when I want to fix the port range, just skips the authentication, and finally rejects. Any clue? Thanks. Ramon Escribà. (escriba%at$cells!dot#es) System Managers CELLS. Telf: +34.93.592.43.84 -Si creus que l'educació és cara, prova la ignorància. -El mercado es un buen esclavo,pero un amo terrible. -Give Earth a chance, or she'll get rid of us. -- CELLS - ALBA Synchrotron Carretera BP 1413, de Cerdanyola del Vallès a Sant Cugat del Vallès, Km. 3,3 08290 Cerdanyola del Vallès, Barcelona ,Spain Tel: +34 93.592.4300 Fax: +34 93.592.4301 http://www.cells.es v.1.52 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql huntgroups Access-Reject
Greetings from Texas. I'm setting up freeradius to authenticate/authorize network engineers to log into cisco and juniper devices. Some devices we share with other organizations. I need to be able to allow some engineers access to some devices and not others. I'm running on redhat with Mysql as the backend. I'll will be writing a web front end to manage our radius server(s) once I get a working configuration for our situation.. I have freeradius 2.1.7. That's the rpm for redhat 5.4. I have radcheck and radreply working. (username and password checking) I have radusergroup, radgroupcheck, radgroupreply working if I populate the huntgroups flat file with appropriate information. I can set shell:privs on ciscos for a specific user based on group membership via radgroupreply. As I understand it, if I move huntgroups out of the flat file (preprocess) and into mysql, I loose the ability to send an Access-Reject based on huntgroups. Is that correct? Thanks, Gene Titus The Office of Telecommunication Services The University of Texas at Austin -- View this message in context: http://freeradius.1045715.n5.nabble.com/mysql-huntgroups-Access-Reject-tp3306623p3306623.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOWTO:Centralised LDAP Authentication - Part 2 - Using dyamic-clients instead of huntgroups
Following on from my previous post on Centralised LDAP Auth post:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
I've found that using dynamic-clients gives me a few advantages over using
huntgroups.
1) Dynamic Clients allows you to have per-NAS shared secrets stored in LDAP
(or SQL) instead of having a whole network with the same shared secret.
This way you have better pseudo security by being able to set a password for
each individual NAS element.
2) Reduced LDAP queries due to dynamic-client's caching of the query
results. This is also helps to reduce one extra query against the LDAP
database since the client is cached in radiusd's memory.
So to set it up it's the same configuration as specified in the above post,
with the following differences:
Element Setup: It's the same apart from now you need to add a second value
to each element for the Shared Secret password. In the below cases I use
the ou or Department attribute.
---
OU=Elements,OU=Radius,DC=ACME,DC=COM
Elements will hold a record of every NAS in your Network. You will create
Group objects based on the IP Address of the NAS and set the Location or
l attribute to the NAS Huntgroup the NAS belongs to allow them to be
centrally managed in LDAP.
IE
CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
With a l value of CiscoRTR for a Cisco Router that has a NAS-IP-Address
or Source-IP-Address of 10.1.2.3. This will make more sense further on.
And with a ou value of the shared secret password for the NAS element. ie
password
---
FILE:/etc/raddb/clients.conf
- Don't need to make any changes into this file anymore.
With the default config you will need to copy or symlink the dynamic-clients
file into the sites-enabled directory. The easist way is to symlink:
cd etc/raddb/sites-enabled
ln -s ../sites-available/dynamic-clients dynamic-clients
Now modify the dynamic-clients file:
FILE: /etc/raddb/sites-available/dynamic-clients
client dynamic {
#Include all IP's in the Dynamic Clients range
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_client_server
lifetime = 86400
}
server dynamic_client_server {
authorize {
#Do a ldap lookup in the elements OU, check to see if the
Packet-Src-IP-Address object has a ou attribute, if it does continue.
if
(%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}};)
{
update control {
FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address}
#Set the Client-Shortname to be the Location l just like in the
Huntgroups, but this time to the shortname.
FreeRADIUS-Client-Shortname =
%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}};
#NAS Type can't be used so no point in including it.
#FreeRADIUS-Client-NAS-Type =
%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?o?sub?cn=%{Packet-Src-IP-Address}};
#Lookup and set the Shared Secret based on the ou attribute.
FreeRADIUS-Client-Secret =
%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}};
}
}
ok
}
}
- END
FILE:/etc/raddb/sites-enabled/default
Instead of setting the Huntgroup, set the FreeRadius Client Name, so change:
update request {
Huntgroup-Name :=
%{ldap:ldap:///ou=Elements,ou=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}};
}
with
update request {
Client-Shortname := %{Client-Shortname}
}
So that Client-Shortname is available in this virtual server and make all
the same changes in the default file as per the above post.
Now lastly the changes in the users file to perform the lookup.
Change:
DEFAULT Huntgroup-Name == Junipers, Ldap-Group ==
cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM
With
DEFAULT Client-Shortname == Junipers, Ldap-Group ==
cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM
And all the same settings as per the previous post.
This way you still have the advantages of per-NAS authentication, and now
you can also set passwords per-NAS, and less un-necessary traffic to the
LDAP server.
A win win all around.
Alan, do you want me to turn this into a Wiki entry???
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Private attribute assigned in clients.conf and checked in huntgroups ?
Hello freeradius-users,
In many cases, when there is no attributes in request to differenciate
the kind of NAS and if we need to build a reply with NAS-Dependant
(AVPAIR) attributes, the only solution is to affect the huntgroup by
checking again the NAS-IP-Address in preprocessing.
I would like to know if there is anyway to create a private attribute in
clients.conf to assign NAS type for Huntgroup selection ?
I made some checks but My-Nas-Type variable does not seems to be
accessible from within huntgroups as a checkItem.
As we have to manage more than 1000 various NAS, the idea is to have a
configured value in clients.conf to distinguish between different
kinds/manufacturers/models of NAS, to avoid later NAS-IP-Address check
again (it's already done in clients.conf) in Huntgroups, and to be able
to assign the HuntGroup by testing this private attribute.
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type = cisco
nastype = cisco
}
client c2 {
ipaddress = 10.1.1.2
My-Nas-Type = cisco
nastype = cisco
}
client c3 {
ipaddress = 10.2.2.2
My-Nas-Type = netscreen
nastype = other
}
client c4 {
ipaddress = 10.3.3.3
My-Nas-Type = provider1
nastype = other
}
huntgroups :
cisco Service-Type == Login-User, My-Nas-Type == cisco
netscreen Service-Type == Login-User, My-Nas-Type == netscreen
provider1 Service-Type == Login-User, My-Nas-Type == provider1
ciscoByIP NAS-IP-Address == 10.1.1.1, Service-Type == Login-User
ciscoByIP NAS-IP-Address == 10.1.1.2, Service-Type == Login-User
netscreenByIP NAS-IP-Address == 10.2.2.2, Service-Type == Login-User
p1ByIP NAS-IP-Address == 10.3.3.3, Service-Type == Login-User
users :
DEFAULT Huntgroup-Name == ciscogrp, Ldap-Group == CiscoRW
Cisco-AVPair := shell:priv-lvl=15
DEFAULT Huntgroup-Name == netscreen Ldap-Group == All-Admin-RW
NS-Admin-Privilege = All-VSYS-Root-Admin
DEFAULT Huntgroup-Name == provider1 Ldap-Group == P1RW
#Old config
DEFAULT Huntgroup-Name == ciscoByIP, Ldap-Group == CiscoRW
DEFAULT Huntgroup-Name == netscreenByIP, Ldap-Group == All-Admin-RW
DEFAULT Huntgroup-Name == p1ByIP, Ldap-Group == P1RW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private attribute assigned in clients.conf and checked in huntgroups ?
Fred MAISON fred.mai...@gmail.com wrote:
[snipped[
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type = cisco
nastype = cisco
}
It is only available from unlang, however what you want is:
authorized {
...
update request {
#NAS-Identifier := %{client:shortname}
#NAS-Vendor := %{client:vendor}
My-Nas-Type := %{client:My-Nas-Type}
}
...
files
...
}
I personally recommend you give it a nicer name, I use 'vendor' as you
can see in the commented out section above :)
Cheers
--
Alexander Clouter
.sigmonster says: You may get an opportunity for advancement today. Watch it!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private attribute assigned in clients.conf and checked in huntgroups ?
Le lundi 03 mai 2010 à 18:29 +0100, Alexander Clouter a écrit :
Fred MAISON fred.mai...@gmail.com wrote:
[snipped[
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type = cisco
nastype = cisco
}
It is only available from unlang, however what you want is:
authorized {
...
update request {
#NAS-Identifier := %{client:shortname}
#NAS-Vendor := %{client:vendor}
My-Nas-Type := %{client:My-Nas-Type}
}
...
files
...
}
I personally recommend you give it a nicer name, I use 'vendor' as you
can see in the commented out section above :)
Cheers
Great !
Thanks a lot for your suggestion, it fits very well to my needs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
You have to enforce reject:
if(SQL-Group == vpnuser) {
ok
}
else {
reject
}
Ivan Kalik
Kalik Informatika ISP
Alright. that makes sense.
But can the if(xxx) contain several sql-queries to the database?
The username and groupname from radusergroup and groupname from radhuntgroup
need to be
matched somehow so that no one note in the right group can get through.
Something like:
if(SQL-Group == %{sql:select groupname AND SQL-User-Name ==
%{sql AND so on...
Sorry for the obvious questions, but you are helping me alot. Thanks.
/Mika
--
View this message in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25185118.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
You have to enforce reject:
if(SQL-Group == vpnuser) {
ok
}
else {
reject
}
Ivan Kalik
Kalik Informatika ISP
Alright. that makes sense.
But can the if(xxx) contain several sql-queries to the database?
The username and groupname from radusergroup and groupname from
radhuntgroup
need to be
matched somehow so that no one note in the right group can get through.
Something like:
if(SQL-Group == %{sql:select groupname AND SQL-User-Name ==
SQL-Group == is equivalent to that.
%{sql AND so on...
You can do:
if(statement another statement || other statement) {
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
SQL-Group == is equivalent to that.
%{sql AND so on...
You can do:
if(statement another statement || other statement) {
...
Ivan Kalik
Kalik Informatika ISP
This is Awesome! Thanks for taking the time to answer my obvious questions.
/Mika
--
View this message in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25186064.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
Finally. I got it working with the files (users and huntgroups), but i need
this to work in SQL instead and seem to run into the same problem. All
NAS-IP:s are accepted. Why??
I am so close but not quite there. Please help!
Followed a guide from jdennis that i googled up, but something is accepting
the user. How do i turn this off?
I have nothing configured in users and huntgroups files.
In sites-enabled/default:
Disabled preprocess and added:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
nasipaddress=\%{NAS-IP-Address}\}
}
Debug is below, but first the tables..
mysql select * from radcheck;
++--+++-+
| id | username | attribute | op | value |
++--+++-+
| 9 | sqluser | Cleartext-Password | := | sqluser |
++--+++-+
1 row in set (0.00 sec)
mysql select * from radgroupcheck;
++---+++---+
| id | groupname | attribute | op | value |
++---+++---+
| 9 | vpnauth | Huntgroup-Name | == | vpn |
++---+++---+
1 row in set (0.00 sec)
mysql select * from radusergroup;
+--+---+--+
| username | groupname | priority |
+--+---+--+
| sqluser | vpnauth |0 |
+--+---+--+
1 row in set (0.01 sec)
mysql select * from radhuntgroup;
++---+--+---+
| id | groupname | nasipaddress | nasportid |
++---+--+---+
| 1 | vpn | 10.10.10.10 | NULL |
++---+--+---+
DEBUG: (from what i can read module pap accepts the user??)
[r...@aut-freeradius mikoi]# radiusd -X
FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2
2009 at 17:33:54
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including
Re: deny access with huntgroups
Finally. I got it working with the files (users and huntgroups), but i
need
this to work in SQL instead and seem to run into the same problem. All
NAS-IP:s are accepted. Why??
Because if sql group doesn't match it is ignored - user is not rejected.
I am so close but not quite there. Please help!
Followed a guide from jdennis that i googled up, but something is
accepting
the user. How do i turn this off?
You have to enforce reject:
if(SQL-Group == vpnuser) {
ok
}
else {
reject
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
deny access with huntgroups
Hello. How can i deny access for all other users that don´t have a Huntgroup-Name defined and if NAS-IP-Address is not included or wrong in the request = deny? My current configuration accepts all authentications as long the password is correct. users: localuser Huntgroup-Name == vpn, Cleartext-Password := localuser huntgroups: vpn NAS-IP-Address == 164.9.158.65 I am missing something. Please point me in the right direction. Thanks. -- View this message in context: http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25151127.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
How can i deny access for all other users that don´t have a Huntgroup-Name defined and if NAS-IP-Address is not included or wrong in the request = deny? My current configuration accepts all authentications as long the password is correct. users: localuser Huntgroup-Name == vpn, Cleartext-Password := localuser huntgroups: vpn NAS-IP-Address == 164.9.158.65 I am missing something. Please point me in the right direction. Post the debug. Something else is letting user in. With these entries he shouldn't be able to connect from a different NAS. You don't have an entry without the hunthroup for this user? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups and SQL not being enforced
Hello.
I need some help to debug my configuration of Huntgroups in SQL and why they
are not being enforced.
Probably missing something obvious here. I´ve been staring myself blind with
this problem.
User gets Access-Accept although NAS-IP-Address is not a match.
Here is the setup:
Freeradius 2.1.6, MySQL.
Tables in MySQL:
RADCHECK
mysql select * from radcheck;
++--+++--+
| id | username | attribute | op | value|
++--+++--+
| 33 | testuser | Cleartext-Password | := | testuser |
++--+++--+
USERGROUP:
mysql select * from usergroup;
+--+---+--+
| UserName | GroupName | priority |
+--+---+--+
| testuser | VPN-AUTH |0 |
+--+---+--+
RADGROUPCHECK:
mysql select * from radgroupcheck;
++---+++-+
| id | groupname | attribute | op | value |
++---+++-+
| 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service |
++---+++-+
RADHUNTGROUP:
mysql select * from radhuntgroup;
++-+--+---+
| id | groupname | nasipaddress | nasportid |
++-+--+---+
| 6 | VPN-Service | 10.10.10.10 | NULL |
++-+--+---+
sites-enabled/default:
authorize
# SQL query huntgroups
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup
where nasipaddress=\%{NAS-IP-Address}\}
}
Debug with correct NAS-IP-Address:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=20,
length=54
User-Name = testuser
User-Password = testuser
NAS-IP-Address = 10.10.10.10
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} - testuser
sql_set_user escaped user -- 'testuser'
expand: select groupname from radhuntgroup where
nasipaddress=%{NAS-IP-Address} - select groupname from radhuntgroup where
nasipaddress=10.10.10.10
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select groupname from radhuntgroup where
nasipaddress=%{NAS-IP-Address}} - VPN-Service
++[request] returns ok
sql_xlat
expand: %{User-Name} - testuser
sql_set_user escaped user -- 'testuser'
expand: select authserver from authmethod where username
=%{User-Name} - select authserver from authmethod where username
=testuser
rlm_sql (sql): Reserving sql socket id: 2
sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:select authserver from authmethod where username
=%{User-Name}} - LOCAL
++[control] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM usergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY
id
[sql] User found in group VPN-AUTH
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY
id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering
Re: Huntgroups and SQL not being enforced
Hi. For info, i followed the information in the below link for my Huntgroups, but without Auth-Type since it is not recommended. http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I still can´t get huntgroups to be enforced properly. If i add Huntgroup-Name == VPN-Service to the radcheck table, it works for my local users (the ones with a Cleartext-Password in Freeradius), but not for my proxied users. Any hints? /M -- View this message in context: http://www.nabble.com/Huntgroups-and-SQL-not-being-enforced-tp25019815p25024576.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and huntgroups
Hi All,
I want to use huntgroups in freeradius 2.1.6. I have a sql backend for
auth and acct, so naturally I want to put huntgroups into mysql as well.
I've read the wiki on how to do this, and I understand the notes.
However, the wiki entry mentions that the following should either go
into radiusd.conf or in sites-enabled/default:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
nasipaddress=\%{NAS-IP-Address}\}
}
Can I put that into my virtual server (also in sites-enabled) instead of
the two options presented in the wiki? Or, is it much better to put it
into the default config file?
Thanks,
Ranbir
--
Kanwar Ranbir Sandhu
Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux
16:41:50 up 2 days, 23:12, 4 users, load average: 0.54, 0.53, 0.37
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and huntgroups
I've read the wiki on how to do this, and I understand the notes.
However, the wiki entry mentions that the following should either go
into radiusd.conf or in sites-enabled/default:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
nasipaddress=\%{NAS-IP-Address}\}
}
Can I put that into my virtual server (also in sites-enabled) instead of
the two options presented in the wiki?
You can put it in any virtual server where you want to use it.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with group in huntgroups
Hi All,
I want to use huntgroup to restrict access to certain huntgroups to
certaingroups of users. So I edit my huntgroups file :
swLaboNAS-IP-Address == 192.168.0.50
Group = administrateur
I guess that administrateur is a Ldap-Group, isn't it ? And I use OpenLDAP to
store my users and my radiusGroupName.
dn: ou=Profiles,dc=netplus,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: Profiles
dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
radiusServiceType: NAS-Prompt-User
radiusVSA: shell:priv-lvl=15
cn: administrateur
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: administrateur
homeDirectory: /home/fmehault
loginShell: /usr/local/bin/zsh
cn: Francois MEHAULT
gidNumber: 1203
userPassword: {SHA}C5wmJdwh7wX2rU3fR8XyA4N6oyw=
So I understand that fmehault is able to authenticate on the NAS 192.168.0.50.
But I have a segmentation fault of radiusd. I created also the posix group
administrateur which includes fmehault.
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=67,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = mdp
+- entering group authorize {...}
zsh: segmentation fault radiusd -X
# id fmehault
uid=1203(fmehault) gid=1203 groups=1203,1400(administrateur)
What is the problem ? If someone has a documentation/howto about huntgroups and
group, I am interested.
Regards,
François Mehault
Netplus Communication
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault with group in huntgroups
I want to use huntgroup to restrict access to certain huntgroups to certaingroups of users. So I edit my huntgroups file : swLaboNAS-IP-Address == 192.168.0.50 Group = administrateur I guess that administrateur is a Ldap-Group, isn't it ? And I use OpenLDAP to store my users and my radiusGroupName. swLaboNAS-IP-Address == 192.168.0.50 Ldap-Group = administrateur Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault with group in huntgroups
François Mehault wrote:
So I understand that fmehault is able to authenticate on the NAS
192.168.0.50. But I have a segmentation fault of radiusd. I created also
the posix group administrateur which includes fmehault.
Which version are you using?
+- entering group authorize {...}
zsh: segmentation fault radiusd –X
My guess is that you're using modules from one version of the server,
and a server binary from another.
What does the *full* debugging output say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault with group in huntgroups
I use version 2.1.4 on FreeBSD, but with Ldap-Group rather than Group in
huntgroups file, it works.
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : jeudi 11 juin 2009 14:54
À : FreeRadius users mailing list
Objet : Re: segmentation fault with group in huntgroups
François Mehault wrote:
So I understand that fmehault is able to authenticate on the NAS
192.168.0.50. But I have a segmentation fault of radiusd. I created also
the posix group administrateur which includes fmehault.
Which version are you using?
+- entering group authorize {...}
zsh: segmentation fault radiusd –X
My guess is that you're using modules from one version of the server,
and a server binary from another.
What does the *full* debugging output say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to implement huntgroups--pls help
I want to implement huntgroup for Radius server. In this respect I want to give access to user name test1, which authenticated via LDAP, to only one NAS with IP 172.16.0.150. For this I have modified /etc/raddb/users file with following data: kmcuser Auth-Type :=LDAP, Huntgroup-Name == kmc1 Fall-Through = Yes DEFAULT Auth-Type = LDAP Fall-Through = 1 And I have modified /etc/raddb/huntgroups file with following data: kmc1NAS-IP-Address == 172.16.0.150 User-Name = kmcuser But It is not working, with username kmcuser, I am able to login to other NAS as well, not having IP 172.16.0.150. Please suggest some solution, Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to implement huntgroups--pls help
I want to implement huntgroup for Radius server. In this respect I want to give access to user name test1, which authenticated via LDAP, to only one NAS with IP 172.16.0.150. For this I have modified /etc/raddb/users file with following data: kmcuser Auth-Type :=LDAP, Huntgroup-Name == kmc1 Fall-Through = Yes Insert this in between: kmcuser Auth-Type := Reject DEFAULT Auth-Type = LDAP Fall-Through = 1 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
What will be
the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
Fall-Through = no
DEFAULT if (NAS-IP-Address z.z.z.z NAS-IP-Address y.y.y.y) {
Auth-Type:= Pam} else
{
Auth-Type := Reject
Reply-Message = Please call the helpdesk.
}
Does that make sense?
Not really. Sick to one thing - users file or unlang. I would recommend
unlang.
I already though about your advice to concetrate at unlang and to check in
sites-enabled/default
-
authorize
{
ldap
if (Ldap-Group == employee NAS-IP-Address ==
^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == student NAS-IP-Address ==
^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Huntgroup-Name == testldap Ldap-Group == student )
{ok} else
.
else {reject}
Is that right?
Should Auth-Type:=Pam stay then in users?
I read in another post from today How to allow nas'es to serve only
groups of clients? that somebody tries to do almost the same with
unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups.
It seems that unlang doesn't works with SQL-Groups so could it be that
the same situation ist for LDAP-Groups too?
I still have freeradius 1.1.7 and I would like to do urgent upgrade only
if I can use unlang to check subnets and Ldap-Groups with it. If this is
not possible, I would like to know.
Is there maybe another way to check subnets? Can I user regex for
example in huntgroups? Then I wouldn't need to use unlang and can stay
some more time at my current version of freeradius.
Greets
Meyes
What you posted is a mixture of both but the essence is OK. Just
use regex for checking subnets.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
sites-enabled/default
-
authorize
{
ldap
if (Ldap-Group == employee NAS-IP-Address ==
^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == student NAS-IP-Address ==
^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Huntgroup-Name == testldap Ldap-Group == student )
{ok} else
..
else {reject}
Is that right?
No. But if you remove else and change if to elsif it will be.
Should Auth-Type:=Pam stay then in users?
Yes. Or you can put it in here instead of ok.
I read in another post from today How to allow nas'es to serve only
groups of clients? that somebody tries to do almost the same with
unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups.
It seems that unlang doesn't works with SQL-Groups so could it be that
the same situation ist for LDAP-Groups too?
== should work. It seems that != doesn't work in unlang with those
attributes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
In 2.1.3 you can use unlang and not need huntgroups at all. Read man
unlang on freeradius site.
Thank you for answer Ivan. I'm thinking about upgrading of 2.1.3 or
2.1.4 but I'm not really sure how to transform my huntgroups und users
configuration in unlang. I read the documentation but I have big
problems to understand it. Please I need a little bit help on this
Should it be something like that?
if (Ldap-Group == employee NAS-IP-Address x.x.x.x NAS-IP-Address
y.y.y.y) {
Auth-Type:= Pam} else
if (Ldap-Group == student NAS-IP-Address z.z.z.z NAS-IP-Address
y.y.y.y) {
Auth-Type:= Pam} else
if (NAS-IP-Address z.z.z.z NAS-IP-Address y.y.y.y) {
Auth-Type:= Pam} else
{
Auth-Type := Reject
}
Sorry but I'm not sure
1. whether the NAS-IP-Address ist the right variable to check if a
client is in an Subnetwork
2. where should I put this if-condition: kann I put it in users instead
of Huntgroups? Or should stay in sites-available/default and what
section or in radiusd.conf?
3. I have about more than 100 different Clients, some with IP-Address
some with NetworkMask. It is really simple to put that ones with
IP-Addresses into the huntgroups file with different groups . But when I
implement a condition with unlang for every one of them, wouldn't that
be a killer for the performance when every query checks the script?
Is that possible that I keep my huntgroups for all clients with
IP-Addresses and write a conditions only for network masks? What will be
the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
Fall-Through = no
DEFAULT if (NAS-IP-Address z.z.z.z NAS-IP-Address y.y.y.y) {
Auth-Type:= Pam} else
{
Auth-Type := Reject
Reply-Message = Please call the helpdesk.
}
Does that make sense?
Greets,
Meyes
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
Is that possible that I keep my huntgroups for all clients with
IP-Addresses and write a conditions only for network masks?
That would probably be the best. You might benefit from using sql
huntgroup implementation (pull IP's from the database):
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
What will be
the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
Fall-Through = no
DEFAULT if (NAS-IP-Address z.z.z.z NAS-IP-Address y.y.y.y) {
Auth-Type:= Pam} else
{
Auth-Type := Reject
Reply-Message = Please call the helpdesk.
}
Does that make sense?
Not really. Sick to one thing - users file or unlang. I would recommend
unlang. What you posted is a mixture of both but the essence is OK. Just
use regex for checking subnets.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups and Network of Clients
Hi all, I use Freeradius 1.1.7 (yes, sorry I know it is a little bit old but there is no time to upgrade :( I want that the requests from some servers are checked and authenticated through LDAP-Groups for example Requests from IP x.x.x.x should be authenticate only if the user is in ldap-group employee, tha same for IP y.y.y.y . Then I have some other servers with requests that don't need LDAP authorisation. I used the Huntgroups to define the first two servers als huntgroup testldap and the rest as huntgroup all. That functions great for IP Addresses. The list ist long, but still ok. Only if I want to do that for network of clients this doesn't work. The problem is that I must list all of the servers that should gain access and I have a lot of PC-Pools which use radius to authenticate. In the client.conf they are written with the network addresses, that doesn't work in huntgroups file. I don't want to list all of the PC-Pool members in the Huntgroups because there are too many... Does Huntgroup support only IP-Addresses or I can fill up Network Addresses too? Or there is another workaround? Or maybe this issue is already changed in the new version 2.3.1? users DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam Fall-Through = no DEFAULT Huntgroup-Name==all, Auth-Type := Pam Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. huntgroups - #Test LDAP testldap NAS-IP-Address == x.x.x.x testldap NAS-IP-Address == y.y.y.y #All Users allNAS-IP-Address == a.a.a.a allNAS-IP-Address == z.z.z.z/26 Greets, Meyes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
Does Huntgroup support only IP-Addresses or I can fill up Network Addresses too? It's not what huntgroups support but what does the attribute (NAS-IP-Address) support. And it is an IP address, not network. Or there is another workaround? Or maybe this issue is already changed in the new version 2.3.1? In 2.1.3 you can use unlang and not need huntgroups at all. Read man unlang on freeradius site. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups issue - every user is accepted
Dear All,
I am trying to implement huntgroups via MySQL according to
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the
assignment of huntgroups not according to NAS-IP, but to Called-Station-Id.
The goal is to suppress roaming between hotspot routers, between groups of
hotspots.
For that purpose I have inserted the code
...
update request {
Huntgroup-Name := %{sql02:select groupname from
radhuntgroup where calledstationid = '%{Called-Station-Id}'}
}
...
In lieu of the module 'preprocess' into group 'authorize', as advised in the
HOWTO.
I have maintained the following entries in SQL tables:
`radhuntgroup`
`id`, `groupname`, `calledstationid`
1, 'Test-Rejec', '00-1D-7E-E7-96-9F'
`usergroup`
`UserName`, `GroupName`, `priority`
'yubvef13', 'TestGroup', 1
`radgroupcheck`
`id`, `GroupName`, `Attribute`, `op`, `Value`
1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
One would expect the user to be rejected if the user tries to log in to the
router with the Called-Station-Id '00-1D-7E-E7-96-9F', However, the user is
authenticated and not rejected.
Here the relevant parts of the debug:
...
Mon Jan 19 20:57:03 2009 : Info: sql_xlat
Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} - yubvef13
Mon Jan 19 20:57:03 2009 : Info: sql_set_user escaped user -- 'yubvef13'
Mon Jan 19 20:57:03 2009 : Debug: expand: select groupname from
radhuntgroup where calledstationid = '%{Called-Station-Id}' - select
groupname from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F'
Mon Jan 19 20:57:03 2009 : Debug: expand:
/var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id:
3
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: select groupname
from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F'
Mon Jan 19 20:57:03 2009 : Info: sql_xlat finished
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Released sql socket id: 3
Mon Jan 19 20:57:03 2009 : Debug: expand: %{sql02:select groupname
from radhuntgroup where calledstationid = '%{Called-Station-Id}'} -
Test-Rejec
Mon Jan 19 20:57:03 2009 : Info: ++[request] returns notfound
Mon Jan 19 20:57:03 2009 : Info: ++[chap] returns noop
Mon Jan 19 20:57:03 2009 : Info: ++[mschap] returns noop
Mon Jan 19 20:57:03 2009 : Info: [suffix] No '@' in User-Name = yubvef13,
looking up realm NULL
Mon Jan 19 20:57:03 2009 : Info: [suffix] No such realm NULL
Mon Jan 19 20:57:03 2009 : Info: ++[suffix] returns noop
Mon Jan 19 20:57:03 2009 : Info: [eap] No EAP-Message, not doing EAP
Mon Jan 19 20:57:03 2009 : Info: ++[eap] returns noop
Mon Jan 19 20:57:03 2009 : Info: ++- entering redundant-load-balance group
sql0203 {...}
Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} - yubvef13
Mon Jan 19 20:57:03 2009 : Info: [sql02] sql_set_user escaped user --
'yubvef13'
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id:
2
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
username, attribute, value, op FROM radcheck WHERE
username = BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Info: [sql02] User found in radcheck table
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username,
attribute, value, op FROM radreply WHERE username =
BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username =
BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
username, attribute, value, op FROM radreply WHERE
username = BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT groupname
FROM usergroup WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM usergroup
WHERE username = BINARY 'yubvef13' ORDER BY priority
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT groupname
FROM usergroup WHERE username = BINARY 'yubvef13' ORDER
BY priority
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'TestGroup' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query
Re: Huntgroups issue - every user is accepted
Hanno Schupp wrote: I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots. For that purpose I have inserted the code ... In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in the HOWTO. You also seen to be over-riding that in the SQL tables: `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test' This sets the Huntgroup-Name to Test. One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the user is authenticated and not rejected. You did not configure the server to reject the user if he logs in with that Called-Station-Id. You configured the server to put him in a huntgroup if he logs in with that Called-Station-Id. Did you configure the server to reject users in the Test-Rejec huntgroup? It looks like you didn't. One thing I don’t get is, why is the rlm_sql_mysql module finding the Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not found? There are explanations for that... The user is found in radgroupchek for the correct usergroup ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted. No. If the values in radgroupcheck do not match it means they do not match. You have *other* configurations that let the server authenticate the request. You did *not* configure the server to reject the request if it's in the Test-Rejec huntgroup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups issue - every user is accepted
The goal is to suppress roaming between hotspot routers, between groups of hotspots. `radhuntgroup` `id`, `groupname`, `calledstationid` 1, 'Test-Rejec', '00-1D-7E-E7-96-9F' `usergroup` `UserName`, `GroupName`, `priority` 'yubvef13', 'TestGroup', 1 This is OK. `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test' This doesn't check anything. It sets huntgroup to Test. As I understand it you want to reject huntgroups that are not Test. So make such a policy: Huntgroup-Name != Test, Auth-Type := Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroups issue - every user is accepted
-Original Message- From: t...@kalik.net [mailto:t...@kalik.net] Sent: Monday, 19 January 2009 10:52 p.m. To: FreeRadius users mailing list Subject: Re: Huntgroups issue - every user is accepted The goal is to suppress roaming between hotspot routers, between groups of hotspots. `radhuntgroup` `id`, `groupname`, `calledstationid` 1, 'Test-Rejec', '00-1D-7E-E7-96-9F' `usergroup` `UserName`, `GroupName`, `priority` 'yubvef13', 'TestGroup', 1 This is OK. `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test' This doesn't check anything. It sets huntgroup to Test. As I understand it you want to reject huntgroups that are not Test. So make such a policy: Huntgroup-Name != Test, Auth-Type := Reject Thanks for your response. It overlapped time wise with one from Alan. However, the issue remains: I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. I am sorry if I have left out any other configuration, but again, according to the howto in the freeradius wiki, what I have configured is all that is necessary. But the wiki seems to be incorrect, so what do I need to configure to have a request rejected, where a user's huntgroup and an NAS huntgroup do not match? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroups issue - every user is accepted
-Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Monday, 19 January 2009 10:29 p.m. To: FreeRadius users mailing list Subject: Re: Huntgroups issue - every user is accepted Hanno Schupp wrote: I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots. For that purpose I have inserted the code ... In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in the HOWTO. You also seen to be over-riding that in the SQL tables: `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test' This sets the Huntgroup-Name to Test. You are right, I checked the tutorial again, and the suggested operator in there is indeed == So now the entry reads: `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', '==', 'Test' Unfortunately it does not make any difference. One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the user is authenticated and not rejected. You did not configure the server to reject the user if he logs in with that Called-Station-Id. You configured the server to put him in a huntgroup if he logs in with that Called-Station-Id. Did you configure the server to reject users in the Test-Rejec huntgroup? It looks like you didn't. I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. I am sorry if I have left out any other configuration, but again, according to the howto in the freeradius wiki, what I have configured is all that is necessary. Or are you saying the instructions on http://wiki.freeradius.org/SQL_Huntgroup_HOWTO are incorrect? One thing I don’t get is, why is the rlm_sql_mysql module finding the Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not found? There are explanations for that... Great. Can you please point out where, as neither rlm_sql not /etc/freeradius/sql/mysql/dialup.conf says anything about returned status. The user is found in radgroupchek for the correct usergroup ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted. No. If the values in radgroupcheck do not match it means they do not match. As per above, the howto on the freeradius wiki suggests something very different. If it is incorrect, that how to should be pulled. You have *other* configurations that let the server authenticate the request. You did *not* configure the server to reject the request if it's in the Test-Rejec huntgroup. Sure I do, but the wiki documentation suggests that the request would be rejected by the system on reading the radgroupcheck table and realising it has a different huntgroup table than the assigned to the NAS. So let me ask another way, if the documentation is indeed incorrect, how do I reject a request, where Huntgroup of user and NAS do not match? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroups issue - every user is accepted
However, the issue remains: I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. Hm, and what do you think: Huntgroup-Name != Test, Auth-Type := Reject that does? As a joke, put them in radgroupcheck and see if it does *exactly* what you have described. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups are failing auth - missing Chap Password
Terry Pelley wrote: As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. Because the huntgroups file isn't about setting the password. i.e. it doesn't *do* that. It's not *supposed* to do that. Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point. users file: bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject That's it. No huntgroups are necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups are failing auth - missing Chap Password
FreeRADIUS Version 1.1.7 I am using the FreeRADIUS.net Windows version of the software. at least for the time being. I am trying to set up a very basic single user account for a very specific purpose and have created the account as follows. hunttest User-Password == hunttest, Huntgroup-Name == hunttest My huntgroups file has a huntgroup called hunttest with a single NAS IP Address listed as follows. public NAS-IP-Address == 10.252.9.2 when the user huntest attempts to authenticate it fails. My RADIUS Log shows the following entry. Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/CHAP-Password] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/CHAP-Password] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Can some one tell me what is wrong. I am simply trying to create a config that will allow the user hunttest to authenticate only if the request comes from the client NAS04. Perhaps a huntgroup is not the best way to do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups are failing auth - missing Chap Password
Read instructions in users file about which password attribute should you be using. User-Password is wrong for 1.1.7. Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, Terry Pelley [EMAIL PROTECTED] piše: FreeRADIUS Version 1.1.7 I am using the FreeRADIUS.net Windows version of the software. at least for the time being. I am trying to set up a very basic single user account for a very specific purpose and have created the account as follows. hunttest User-Password == hunttest, Huntgroup-Name == hunttest My huntgroups file has a huntgroup called hunttest with a single NAS IP Address listed as follows. public NAS-IP-Address == 10.252.9.2 when the user huntest attempts to authenticate it fails. My RADIUS Log shows the following entry. Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/CHAP-Password] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/CHAP-Password] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Can some one tell me what is wrong. I am simply trying to create a config that will allow the user hunttest to authenticate only if the request comes from the client NAS04. Perhaps a huntgroup is not the best way to do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints Huntgroups [SEC=UNCLASSIFIED] (Ranner, Frank MR)
Thanks Frank I'd tried two instances of preprocess but couldn't get it to work. I'll do some reading and try again. I have got the huntgroup now set in the Hints file though so immediate problem solved Thanks again Dean -- Message: 4 Date: Thu, 3 Apr 2008 11:06:17 +1100 From: Ranner, Frank MR [EMAIL PROTECTED] Subject: RE: Hints Huntgroups [SEC=UNCLASSIFIED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hints is processed first, then Huntgroups. You can set up 2 instances of preprocess, process huntgroups in the first instance and hints in the second. You can also set the Huntgroup item in hints as the result of an sql or ldap lookup. Once the huntgroup variable exists, further huntgroup sections exit immediately. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints Huntgroups
Should I be able to either 1) Set a Huntgroup via the huntgroups file (matching on NAS-IP-Address) and use that in the Hints file as a match (Huntgroup-Name == blah) or 2) Set a Hint in the hints file and use that to define as the match for the Huntgroup Currently testing on FreeRADIUS Version 1.1.0 and the files seem to be parsed independently so attributes modified/added in one aren't visible in the other ? Essentially I'd like to set both a huntgroup and perform some username substitution in hints on queries from the same set of NAS. I can define the full set of NAS in both files of course but was hoping to only define the list of NAS-IP-Address once. Ideally set the Huntgroup first and then use the Huntgroup-Name in the Hints file. Thanks Dean Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints Huntgroups [SEC=UNCLASSIFIED]
UNCLASSIFIED -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Dean Smith Sent: Thursday, 3 April 2008 09:20 To: freeradius-users@lists.freeradius.org Subject: Hints Huntgroups Should I be able to either 1) Set a Huntgroup via the huntgroups file (matching on NAS-IP-Address) and use that in the Hints file as a match (Huntgroup-Name == blah) or 2) Set a Hint in the hints file and use that to define as the match for the Huntgroup Currently testing on FreeRADIUS Version 1.1.0 and the files seem to be parsed independently so attributes modified/added in one aren't visible in the other ? Essentially I'd like to set both a huntgroup and perform some username substitution in hints on queries from the same set of NAS. I can define the full set of NAS in both files of course but was hoping to only define the list of NAS-IP-Address once. Ideally set the Huntgroup first and then use the Huntgroup-Name in the Hints file. Thanks Dean Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hints is processed first, then Huntgroups. You can set up 2 instances of preprocess, process huntgroups in the first instance and hints in the second. You can also set the Huntgroup item in hints as the result of an sql or ldap lookup. Once the huntgroup variable exists, further huntgroup sections exit immediately. Regards, Frank Ranner Classification=UNCLASSIFIED Precedence=ROUTINE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
In 2.0, much of the huntgroup functionality can be done with a little
bit of magic:
client foo {
ipaddr = 127.0.0.1
secret = x
huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc.
}
Then in unlang:
...
if (%{client:huntgroup} == foo) {
...
}
i.e. you can use the configuration files to add arbitrary tags to a
client, and then check them at run time.
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Who was meant to be updating the client list SQL features for 2.0 ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Phil Mayers wrote:
I've never had cause to look at it before, but I discovered today that
accouting doesn't support huntgroups; specifically, an attempt to match
on Huntgroup-Name in acct_users
Is this expected?
The preprocess module doesn't do huntgroups for accounting requests.
This should be relatively easy to fix.
How does one normally specify Acct-Type based on a
huntgroup, if (say) the Class attribute is already being used?
In 2.0, much of the huntgroup functionality can be done with a little
bit of magic:
client foo {
ipaddr = 127.0.0.1
secret = x
huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc.
}
Then in unlang:
...
if (%{client:huntgroup} == foo) {
...
}
i.e. you can use the configuration files to add arbitrary tags to a
client, and then check them at run time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Hi,
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do that already:
if (%{sql: SELECT ... WHERE client = %{client:shortname} ...}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yeah ... I know.
It's just with static information, you don't really want to be querying
the database again and again for each query. Lodging the information
against the client is far more efficient, especially with VLAN
information which isn't going to be changing regularly.
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
[EMAIL PROTECTED] wrote:
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
Nope. They're only in the configuration file, and only available via
the run-time expansion.
But you *can* do:
update request {
Client-Foo = %{client:foo}
}
Which is good enough for most purposes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting - no huntgroups
I've never had cause to look at it before, but I discovered today that accouting doesn't support huntgroups; specifically, an attempt to match on Huntgroup-Name in acct_users Is this expected? How does one normally specify Acct-Type based on a huntgroup, if (say) the Class attribute is already being used? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Huntgroups for one User? 2nd Try
[EMAIL PROTECTED] schrieb: huntgroups file: pool3 NAS-IP-Address == NAS1IPAddress pool3 NAS-IP-Address == NAS2IPAddress pool3 NAS-IP-Address == NAS3IPAddress DEFAULT Huntgroup-Name == pool3, User-Name == user2, Auth-Type := Reject in users file. Huntgroups *are* what you refer to as hostpools. Ivan Kalik Kalik Informatika ISP You're right with the hostpools... %) Maybe this will more exactly explain my question: I have 4 groups of users: Admins (which are allowed to access all hosts) - okay quite easy, simply no huntgroup FW-Admins (which are allowed to access only FW-IPs) - easy too, huntgroup FW-IPs RTR-Admins (which are allowed to access all CPE-IPs) - difficult (big net) so I want to use REGEX wildcards, which unfortunatly covers the FW-IPs Apprentice (which are allowed to access only TEST-IPs) - again easy, huntgroup TEST-IPs So what I want is something like in an example 10.0.0.0/16 net (with aprox.: 400-500 Devices in this Range) ... huntgroups: FW-IPs NAS-IP-Address == 10.0.0.1 FW-IPs NAS-IP-Address == 10.0.0.2 FW-IPs NAS-IP-Address == 10.0.0.3 CPE-IPs NAS-IP-Address =~ '10\.0\..*\..*' TEST-IPs NAS-IP-Address == 10.0.255.1 TEST-IPs NAS-IP-Address == 10.0.255.2 TEST-IPs NAS-IP-Address == 10.0.255.3 users: anderson Huntgroup-Name == CPE-IPs, Huntgroup-Name != FW-IPs (Is this possible ?!?) - for a user who should access all the 10.0.0.0/16 net except the FW IP's. smith Huntgroup-Name == TEST-IPs - a simple apprentice entry and so on ... Any ideas? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Huntgroups for one User? 2nd Try
RTR-Admins (which are allowed to access all CPE-IPs) - difficult (big net) so I want to use REGEX wildcards, which unfortunatly covers the FW-IPs huntgroups: FW-IPs NAS-IP-Address == 10.0.0.1 FW-IPs NAS-IP-Address == 10.0.0.2 FW-IPs NAS-IP-Address == 10.0.0.3 CPE-IPs NAS-IP-Address =~ '10\.0\..*\..*' TEST-IPs NAS-IP-Address == 10.0.255.1 TEST-IPs NAS-IP-Address == 10.0.255.2 TEST-IPs NAS-IP-Address == 10.0.255.3 users: anderson Huntgroup-Name == CPE-IPs, Huntgroup-Name != FW-IPs (Is this possible ?!?) - for a user who should access all the 10.0.0.0/16 net except the FW IP's. No. Do this: anderson Huntgroup-Name == FW-IPs, Auth-Type:=Reject ( it will cut down processing) This is an example when you should set Auth-Type. CPE huntgroup includes all others so can do away with it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Huntgroups for one User? 2nd Try
2nd Try, just in case my 1st message was not recognized ;-) Hi Freeradius-List, is it possible to give/deny access to multiple huntgroups for a single user/group? E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and 10.0.0.3 but is allowed to access all the other hosts in 10.0.0.0/24. Something like hostpools would be nice (e.g.: user/group1 can access pool1, pool2 and pool3. user2 can access pools 1+2 but is denied to access pool3). Thanks in advance, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
