> Dear [EMAIL PROTECTED],
> Group-Name == "slow"
> checks for Group-Name attribute in check list (that is list of
> attributes received in RADIUS request).
> format = "*User-Name:User-Password:Group-Name"
> adds Group-Name attribute to config items list. So there will never be
> Group-Name in check list. Changing Group-Name to Group will give no
> result.
Can I move attribute from config items list to check list?
Or how i can check config attribute?
> I can change rlm_passwd to be able to add something to replay attributes
> list. In this case you will be able to directly add Pool-Name from
> passwd file to RADIUS reply.
No. this is bad idea to add Pool-Name to Reply.
Imagine, I have 2 NASes with 2 ip-pool for each
(ippool-1-fast, ippool-1-slow for 1-st NAS and ippool-2-fast, ippool-2-slow for 2-ns
NAS).
So we have 4 different ip-pools.
User can connect to any of NASes.
rlm_passwd returns slow or fast for the user.
If user from slow group connected to NAS#1, Pool-Name have to
changed to ippool-1-slow. If user connected to NAS#1, then
Pool-Name := ippool-2-slow.
Can you explain me how I can make such choice?
mmr>> I have similar problem. I try group-based authenticate.
mmr>> in radius.conf:
mmr>> passwd raddb_userlist {
mmr>> filename = /etc/raddb/userlist
mmr>> format = "*User-Name:User-Password:Group-Name"
mmr>> authtype = MS-CHAP
mmr>> hashsize = 1000
mmr>> ignorenislike = no
mmr>> allowmultiplekeys = no
mmr>> }
mmr>> in /etc/raddb/userlist:
mmr>> mmike:mike:fast
mmr>> users file (with line numbers):
mmr>> 185:DEFAULT Group-Name == "slow", Pool-Name := "ippool-1-slow"
mmr>> 186: Fall-Through = Yes
mmr>> 187:
mmr>> 188:DEFAULT Group-Name == "fast", Pool-Name := "ippool-1-fast"
mmr>> 189: Fall-Through = Yes
mmr>> 190:
mmr>> 191:DEFAULT Service-Type == Framed-User
mmr>> 192: Framed-MTU = 1500,
mmr>> 193: Service-Type = Framed-User,
mmr>> 194: Fall-Through = Yes
mmr>> now i run radiusd:
mmr>> # radiusd -xx
mmr>> ...
mmr>> modcall: entering group authorize
mmr>> modcall[authorize]: module "preprocess" returns ok
mmr>> rlm_passwd: Added User-Password: mike
mmr>> rlm_passwd: Added Group-Name: fast <---- Group-Name attribute added with
value "fast"
mmr>> rlm_passwd: Adding Auth-Type: MS-CHAP
mmr>> ....
mmr>> users: Matched DEFAULT at 191
mmr>> modcall[authorize]: module "files" returns ok
mmr>> ...
mmr>> MATCH found at line 191 only. Hm.. what about line 188?!!!
mmr>> I try use "Group" attr instead "Group-Name". Result is the same.
mmr>> Its like a bug?
>>> I have install freeradius 0.7.1 on slackware 8.0 with shadow password
>>> Installation was ok and basic functions are working.
>>> I have experience problems wen i try to deny access to one of the groups
>>> on the radius server
>>> Following instruction did not help.
>>> I try :
>>> DEFAULT Group == "users" , Auth-Type :=Reject
>>> DEFAULT Group == users , Auth-Type :=Reject
>>> DEFAULT Group == "users" , Auth-Type =Reject
>>> DEFAULT Group == users , Auth-Type =Reject
>>> And more before:
>>> DEFAULT Auth-Type := System
>>> but nothing work.
>>> User marcin , group users was always able to authenticate.
>>> This is a debug of the auth process:
>>>
>>> rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131,
>>> length=81
>>> NAS-IP-Address = 216.168.1.38
>>> Calling-Station-Id = "204.251.93.250"
>>> User-Name = "marcin?X0040;hostplus.net"
>>> User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia"
>>> modcall: entering group authorize
>>> modcall[authorize]: module "preprocess" returns ok
>>> rlm_realm: Looking up realm hostplus.net for User-Name =
>>> "marcin?X0040;hostplus.net"
>>> rlm_realm: Found realm hostplus.net
>>> rlm_realm: Adding Stripped-User-Name = "marcin"
>>> rlm_realm: Proxying request from user marcin to realm hostplus.net
>>> rlm_realm: Adding Realm = "hostplus.net"
>>> rlm_realm: Authentication realm is LOCAL.
>>> rlm_realm: auth_port is not set. proxy cancelled
>>> modcall[authorize]: module "suffix" returns noop
>>> users: Matched DEFAULT at 6
>>> modcall[authorize]: module "files" returns ok
>>> modcall: group authorize returns ok
>>> rad_check_password: Found Auth-Type System
>>> auth: type "System"
>>> modcall: entering group authenticate
>>> modcall[authenticate]: module "unix" returns ok
>>> modcall: group authenticate returns ok
>>> Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli
>>> 204.251.93.250)
>>> Sending Access-Accept of id 131 to 216.168.1.38:4751
>>> Finished request 4
>>> Going to the next request
>>>
>>> And one more thing.
>>> Will i be able to limit access based on
>>> Called-Station-id ?
>>> If so what would be a process to set this up?
>>>
>>>
>>>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
