On Fri, 7 Jan 2005, Dustin Doris wrote:
On Fri, 7 Jan 2005, Dustin Doris wrote:
Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group.
Have your users file say something like.
DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" Juniper-Local-User-Name = "UNLIMITED"
DEFAULT Huntgroup-Name == Juniper, Group == "read_only" Juniper-Local-User-Name = "READ_ONLY"
This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: ---------------------------------------------------------------- DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER Juniper-Local-User-Name = "UNRESTRICTED", Fall-Through = Yes
DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes
jfeger Auth-Type = System Group = "J-UNRESTRICTED"
--------------------------------------------------------------------
In the huntgroups file: JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email)
--------------------------------------------------------------------
So, when I ssh to the IP of the NAS box and attempt to login, I get authenticated, but none of the attributes are sent back:
rlm_realm: No '@' in User-Name = "jfeger", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched jfeger at 34 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) Sending Access-Accept of id 10 to X.X.X.X:2315 Finished request 0
So, what am I missing, or have out of sequence? I have tried taking Fall-Through off, I have tried putting the Huntgroup before the Group....etc...
Thanks, James
I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Okay,
So this seemed to work, but it was a little sloppy. I was able to add the local user (local on the *nix box) to a group called j-unrestricted, and it worked well.
The downside, I am now managing users with the /etc/group file and the /etc/freeradius/users file. That is weak.
On to MySQL I have ventured. I have the basics up and running, but now I am to the part about simulating the users file into the MySQL DB. I used the standard db create script to get all the proper tables defined etc, and like I said, basic auth worked. However, how do I go about setting up DEFAULT to emulate what I have above? Does it go in 'radcheck', 'radreply' 'radgroupchecl' 'radgroupreply' etc? I have found a a few useful documents out there, and done some digging but I am still not clear on how to define the this stuff based on the functioning users file I had.
Thanks, James
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html