configuring groups in sql tables
Sorry, may be my question was not spelled well.
Actually i need to move multiple default entries from users file into
sql table. Is it possible to create multiple DEFAULT instances in sql
tables istead of placing them in users file like this:
DEFAULT Huntgroup-Name == MSK, Realm == domain1.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 1.1.1.1,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret1
DEFAULT Huntgroup-Name == MSK, Realm == domain2.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 2.2.2.2,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret2
and so on ?
Alexander Serkin wrote:
Hi,
Wther i'm missing something in docs or it is impossible to do more than
one groupcheck for the same username by sql.
I have two groups which should be authorized differently - group1:
DEFAULT Huntgroup-Name == MSK, Realm == domain.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = xxx.yyy.97.71,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret
and group2:
DEFAULT Realm == domain.com, NAS-IP-Address == xxx.yyy.117.1
Framed-Protocol = PPP,
Service-Type = Framed,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = lcp:interface-config=peer default ip address
pool VRFNAM\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp ipcp wins
aaa.bbb.1.253\n
What i can do:
insert into RADGROUPCHECK values('','group2','Realm','==','domain.com');
insert into RADGROUPCHECK
values('','group2','NAS-IP-Address','==','xxx.yyy.117.1');
insert into RADGROUPREPLY values('','group2','Framed-Protocol','=','PPP');
insert into RADGROUPREPLY values('','group2','Service-Type','=','Framed');
insert into RADGROUPREPLY
values('','group2','Framed-IP-Netmask','=','255.255.255.255');
insert into RADGROUPREPLY
values('','group2','cisco-avpair','=','lcp:interface-config=peer default
ip address pool group1\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp
ipcp wins aaa.bbb.1.253\n');
and
insert into USERGROUP values('','[EMAIL PROTECTED]','','group2','5');
Then i can remove group2 description from users file and it works.
But when i do the same with group1 - both groups 1 and 2 stop working.
The difference is that both radgroupcheck and radgroupreply sql queries
now return two attribute sets for group 1 and 2 simultaneously.
I thought that radiusd should follow check items and select the proper
group according to attributes present in the request, but sqlauth module
returns notfound. So the users file and sql tables are not processed in
the same manner. What am i missing?
--
Sincerely Yours,
Alexander Serkin,
Moscow Cellular Communications,
ph. +7(495)7952089
fa. +7(495)7952084
skype: aserkin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Am Donnerstag, 14. Dezember 2006 09:39 schrieb Alexander Serkin: Sorry, may be my question was not spelled well. Actually i need to move multiple default entries from users file into sql table. Is it possible to create multiple DEFAULT instances in sql tables istead of placing them in users file like this: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpwaVJaUeLQY.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Michael Schwartzkopff пишет: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. Sorry, Michael. Did not understand this quite well. My multiple DEFAULT entries does not depend on NAS. They are mostly defined by Realm - on every specific realm we should accept the request and give different tunnel attributes. So do we need to determine the group by RealmHuntgroup-Name and insert the reply attributes into radgroupreply? That does not fit in my mind, sorry. I need an example :-) -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Am Donnerstag, 14. Dezember 2006 10:23 schrieb Alexander Serkin: Michael Schwartzkopff пишет: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. Sorry, Michael. Did not understand this quite well. My multiple DEFAULT entries does not depend on NAS. They are mostly defined by Realm - on every specific realm we should accept the request and give different tunnel attributes. So do we need to determine the group by RealmHuntgroup-Name and insert the reply attributes into radgroupreply? That does not fit in my mind, sorry. I need an example :-) No. But you could try to use the SQL-Group Attribute in the check item. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgprnBdnwi7qQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring groups in sql tables
Hi,
Wther i'm missing something in docs or it is impossible to do more than
one groupcheck for the same username by sql.
I have two groups which should be authorized differently - group1:
DEFAULT Huntgroup-Name == MSK, Realm == domain.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = xxx.yyy.97.71,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret
and group2:
DEFAULT Realm == domain.com, NAS-IP-Address == xxx.yyy.117.1
Framed-Protocol = PPP,
Service-Type = Framed,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = lcp:interface-config=peer default ip address
pool VRFNAM\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp ipcp wins
aaa.bbb.1.253\n
What i can do:
insert into RADGROUPCHECK values('','group2','Realm','==','domain.com');
insert into RADGROUPCHECK
values('','group2','NAS-IP-Address','==','xxx.yyy.117.1');
insert into RADGROUPREPLY values('','group2','Framed-Protocol','=','PPP');
insert into RADGROUPREPLY values('','group2','Service-Type','=','Framed');
insert into RADGROUPREPLY
values('','group2','Framed-IP-Netmask','=','255.255.255.255');
insert into RADGROUPREPLY
values('','group2','cisco-avpair','=','lcp:interface-config=peer default
ip address pool group1\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp
ipcp wins aaa.bbb.1.253\n');
and
insert into USERGROUP values('','[EMAIL PROTECTED]','','group2','5');
Then i can remove group2 description from users file and it works.
But when i do the same with group1 - both groups 1 and 2 stop working.
The difference is that both radgroupcheck and radgroupreply sql queries
now return two attribute sets for group 1 and 2 simultaneously.
I thought that radiusd should follow check items and select the proper
group according to attributes present in the request, but sqlauth module
returns notfound. So the users file and sql tables are not processed in
the same manner. What am i missing?
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
