Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined
mysql> select * from usergroup ; +------------------+-------------+----------+ | UserName | GroupName | priority | +------------------+-------------+----------+ | | login users | 1 | | asa1.test | adminasa | 1 | | test.user | Login users | 1 | +------------------+-------------+----------+ and mysql> select * from radgroupcheck ; +----+-----------+----------------+----+----------------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+----------------+ | 1 | adminasa | NAS-IP-Address | == | 10.252.128.11 | | 2 | adminasa | NAS-IP-Address | == | 10.252.253.199 | | 3 | adminasa | NAS-IP-Address | == | 10.250.32.68 | | 4 | adminasa | NAS-IP-Address | == | 10.250.32.69 | | 5 | adminasa | NAS-IP-Address | == | 10.254.32.68 | | 6 | adminasa | NAS-Identifier | == | 10.252.128.11 | +----+-----------+----------------+----+----------------+ 6 rows in set (0.00 sec) debug shows the following; Sending Access-Reject of id 10 to 10.159.103.154 port 1812 Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67 User-Name = "asa1.test" User-Password = "33333333333330" NAS-IP-Address = 10.252.128.11 NAS-Port = 43 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "asa1.test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 modcall[authorize]: module "files" returns notfound for request 18 radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user --> 'asa1.test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 18 modcall: leaving group authorize (returns ok) for request 18 auth: type Crypt Login OK: [asa1.test] (from client SBBC port 43) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 18 rlm_sql (sql): Processing sql_postauth radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user --> 'asa1.test' radius_xlat: 'INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')' radius_xlat: '/var/log/freeradius/sqltrace.sql' rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '') rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module "sql" returns ok for request 18 modcall: leaving group post-auth (returns ok) for request 18 Sending Access-Accept of id 40 to 10.252.128.11 port 1025 Service-Type = Dialout-Framed-User Finished request 18 Going to the next request So I need some starting point of what/where to look at. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html