On 07/26/2012 09:51 AM, Jenny Blunt wrote:
I'm looking for some help with the implementation of huntgroups.
Am using mysql and have followed the following topic through:
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html
In sites-available/default I have this, (just after preprocess:
update request {
Huntgroup-Name := "%{sql:SELECT `groupname` FROM
`radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
}
Don't do this.
Read the 2nd email in the thread you linked to.
Huntgroup-Name is a special attribute; comparisons are executed
dynamically. You can't just use it like an ordinary string attribute.
Define another attribute in raddb/dictionary:
ATTRIBUTE SQL-Location 3010 string
...and use that.
authorize_group_check_query = "SELECT id, groupname, attribute_name, \
Value, op \
FROM ${groupcheck_table} \
WHERE ( groupname = '%{Sql-Group}' OR groupname =
'%{Huntgroup-Name}' ) \
ORDER BY id"
(Which doesn't make logical sense to me)
It doesn't make sense to me either. So why do it?
What I'm failing to get my head around is how to reject or allow access
based on the location their dialing in from?
For example, a user from IP 1.x.x.x should be allowed access at location
1 only.
I don't know what this means.
Write down the policy you want in plain english. Figure out what sources
of data you need to execute that policy. Read those sources of data into
attributes. Write a policy to check them.
For example:
authorize {
update request {
SQL-Location = "%{sql:select location from ...}"
}
if (NAS-IP-Address =~ /^1\./) {
if (SQL-Location != "Location 1") {
reject
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
