Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 7:51 PM, Subhani sk m wrote: > Thanks Fajar. > > In previous mail, "Push Policy" means Radius Attribute only. I am > using EAP-TLS and When a client sends a radius request with username > "user1" to radius server. In access accept I am able to see attributes > configured in users file being returned. > > In /etc/raddb/users file > user1 Cleartext-Password := "user1" > Tunnel-Type := 13, > Tunnel-Medium-Type := 6, > Tunnel-Private-Group-Id := "guest", > LVL7-Wireless-Client-Policy-Dn := "policy1", > > > > Similarly for a usergroup say "usergroup1" I should send radius > attributes.. Also with client Mac which can be seen in radius request as > calling station id. > > Can we do it from modifying config files instead of modifying sql database? Should be possible. Though I have never tried using group from users file, so you'd probably need to try it out yourself, or wait and see if others have better example/advice. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
Thanks Fajar. In previous mail, "Push Policy" means Radius Attribute only. I am using EAP-TLS and When a client sends a radius request with username "user1" to radius server. In access accept I am able to see attributes configured in users file being returned. In */etc/raddb/users* file *user1 Cleartext-Password := "user1"* * Tunnel-Type := 13, Tunnel-Medium-Type := 6, Tunnel-Private-Group-Id := "guest", * *LVL7-Wireless-Client-Policy-Dn := "policy1"*, Similarly for a usergroup say "usergroup1" I should send radius attributes.. Also with client Mac which can be seen in radius request as calling station id. Can we do it from modifying config files instead of modifying sql database? Regards, Subhani On Sun, Sep 30, 2012 at 4:35 PM, Fajar A. Nugraha wrote: > On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m > wrote: > > Hi, > > > > I am using free radius on Linux, Fedora 13. I am able to push policy > for a > > user.. I need help on two scenarios given below. > > > > 1.how to push policy for a specific usergroup from free radius sever > > > > Depends on what you mean by "push policy". If it's just "return some > radius attribute"), then if you use database, simply put it on > radgroupreply table. See the included documentation, or > http://wiki.freeradius.org/modules/Rlm_sql > > > 2. how to push a policy for a specific Calling-Station-ID like > > 00:16:6F:A2:XX:XX [ no user specific policy returned] > > Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m wrote: > Hi, > > I am using free radius on Linux, Fedora 13. I am able to push policy for a > user.. I need help on two scenarios given below. > > 1.how to push policy for a specific usergroup from free radius sever > Depends on what you mean by "push policy". If it's just "return some radius attribute"), then if you use database, simply put it on radgroupreply table. See the included documentation, or http://wiki.freeradius.org/modules/Rlm_sql > 2. how to push a policy for a specific Calling-Station-ID like > 00:16:6F:A2:XX:XX [ no user specific policy returned] Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pushing a policy for usergroup and calling station id from Free Radius Server
Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Thanks in advance. Regards, Subhani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: The simple solution here is to use the "instantiate" section of radiusd.conf. List "sql-acct" first, and "sql-auth" section. That way, the SQL-Group comparison will use the "sql-auth" module, and not the "sql-acct" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks that fixed the problem I would have thought it would have been the other way sql_auth before sql-acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Alan DeKok wrote: ... >> Let me guess... you have policies for accounting which use "SQL-Group"? >> > No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use "SQL-Group". That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the "instantiate" section of radiusd.conf. List "sql-acct" first, and "sql-auth" section. That way, the SQL-Group comparison will use the "sql-auth" module, and not the "sql-acct" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query
Uh... no. Nothing in the SQL accounting configuration uses the group
membership query. See the source code.
Exactly my problem and why I don't understand why it breaks the
authorization radius reply attributes.
which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
Let me guess... you have policies for accounting which use "SQL-Group"?
No It breaks the Authentication when I add the Accounting configuration
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is another more specific output from a debug
It runs like this without the accounting configuration
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} -> t...@testdomain.net
[sql-auth] sql_set_user escaped user --> 't...@testdomain.net'
rlm_sql (sql-auth): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE
UserName='t...@testdomain.net'
[sql-auth] sql_groupcmp finished: User is a member of group active
rlm_sql (sql-auth): Released sql socket id: 3
Runs like this when I add the rad-acct to accounting. It appears to be
using the sql-acct for the sql_groupcmp for some reason.
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} -> t...@testdomain.net
[sql-auth] sql_set_user escaped user --> 't...@testdomain.net'
rlm_sql (sql-acct): Reserving sql socket id: 4
rlm_sql (sql-acct): Released sql socket id: 4
[sql-auth] sql_groupcmp finished: User is NOT a member of group active
Any ideas as to why It would do this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > All I am trying to do is run the radius auth querys on a database on one > machine and the accounting on another in another database. The problem I > am seeing is that when the additional sql configuration is put in for > the accounting database it begins to use that configuration for the > group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. > which is not in the accounting database and > fails. If I remove the sql-auth from the accounting configuration it > runs fine using the rad-auth sql configuration. Here is the exerts from > my configuration. I am trying to set some radreply items with sql and > some by the users file by group. This works fine until I try to seperate > the databases. Let me guess... you have policies for accounting which use "SQL-Group"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
Yes I am aware of how it is Documented I followed the documentation but
still is not functioning correctly.
I have a configuration that is similar to as follows
Similar is not the same.
Perhaps you could explain in *detail* what you are trying to do with
SQL groups. Use examples from your cvonfiguration, not invented ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
authorize {
preprocess
chap
mschap
suffix
sql-auth
files
}
accounting {
detail
radutmp
sql-acct #works when this line is commented out
}
#sql.conf file
sql sql-auth {
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
nas_table = "nas"
deletestalesessions = no
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
group_membership_query = "SELECT GroupName FROM ${usergroup_table}
WHERE UserName='%{SQL-User-Name}'"
#
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes
}
sql sql-acct {
driver = "rlm_sql_mysql"
server = "192.168.5.84"
login = "radius"
password = "radpass"
radius_db = "radius-acct"
acct_table1 = "radacct"
acct_table2 = "radacct"
accounting_onoff_query = "UPDATE ${acct_table1} SET
AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'"
accounting_update_query_alt = "INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')"
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessio
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Yes I am aware of how it is Documented I followed the documentation but > still is not functioning correctly. > > I have a configuration that is similar to as follows Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Yes I am aware of how it is Documented I followed the documentation but
still is not functioning correctly.
I have a configuration that is similar to as follows
sql sql1 {
configuration for authentication database
no accounting queries configured
}
sql sql2 {
configuration for accounting database
no authentication queries configured
}
#dose not work uses accounting sql2 for usergroup query
authorize {
sql1
files
}
accounting {
detial
sql
}
#configuration of groups works fine but I lose accounting sql
uthorize {
sql1
files
}
accounting {
detial
}
Alan DeKok wrote:
Trey Scarborough wrote:
I have to mysql configurations for one for my authentication request and
one for the accounting data. When it make a groupcheck query it is
always using the module for the accounting server is there anyway to
make this function correctly and have it use the configuration for the
authentication database.
read doc/rlm_sql, or the "rlm_sql" page on the Wiki. This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > I have to mysql configurations for one for my authentication request and > one for the accounting data. When it make a groupcheck query it is > always using the module for the accounting server is there anyway to > make this function correctly and have it use the configuration for the > authentication database. read doc/rlm_sql, or the "rlm_sql" page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup problems with separate auth and accounting databases
I have to mysql configurations for one for my authentication request and
one for the accounting data. When it make a groupcheck query it is
always using the module for the accounting server is there anyway to
make this function correctly and have it use the configuration for the
authentication database.
Any Ideas of why this is happening
Here some output while doing a request sql1 is the authentication DB and
sql2 is the accounting
rad_recv: Access-Request packet from host 127.0.0.1 port 2701, id=94,
length=61
User-Name = "u...@domain.net"
CHAP-Password = 0x000
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm "domain.net" for User-Name = "u...@domain.net"
[suffix] No such realm "vortexmail.com"
++[suffix] returns noop
[sql1] expand: %{User-Name} -> u...@domain.net
[sql1] sql_set_user escaped user --> 'u...@domain.net'
rlm_sql (sql1): Reserving sql socket id: 4
[sql1] expand: SELECT ..
rlm_sql_mysql: query: SELECT ...
[sql1] User found in radcheck table
[sql1] expand: SELECT ..
rlm_sql_mysql: query: SELECT ...
[sql1] expand: SELECT ...
rlm_sql_mysql: query: SELECT
[sql1] expand: SELECT ...
rlm_sql_mysql: query: SELECT ..
[sql1] sql_groupcmp
[sql1] expand: %{User-Name} -> u...@domain.net
[sql1] sql_set_user escaped user --> 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 4
rlm_sql (sql2): Released sql socket id: 4
[sql1] sql_groupcmp finished: User is NOT a member of group active
Invalid operator for item Sql-Group: reverting to '=='
rlm_sql (sql1): Released sql socket id: 4
++[sql1] returns ok
[files] sql_groupcmp
[files] expand: %{User-Name} -> u...@domain.net
[files] sql_set_user escaped user --> 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 3
rlm_sql (sql2): Released sql socket id: 3
[files] sql_groupcmp finished: User is NOT a member of group active
[files] sql_groupcmp
[files] expand: %{User-Name} -> u...@domain.net
[files] sql_set_user escaped user --> 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 2
rlm_sql (sql2): Released sql socket id: 2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
Hi,(salaam) Thanks for your help, But I solved the problem and I changed the radgroupcheck query so it get groupname from usergroup table and then compare it! I think I have a better solution, isn't it? BTW thank for your help, please inform me if you know why this problem exist? is it a bug? Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
>>It looks like you have edited sql queries and mixed user and group
>>queries. Post the part of the startup debug with sql initializing.
>
>
>>Ivan Kalik
>>Kalik Informatika ISP
>
> Thanks for your response, I attached full log.
authorize_check_query = "SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id"
That should be authorize_group_check_query.
authorize_group_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY id"
And that should be authorize_check_query. Swap them over.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
>It looks like you have edited sql queries and mixed user and group >queries. Post the part of the startup debug with sql initializing. >Ivan Kalik >Kalik Informatika ISP Thanks for your response, I attached full log. Ya Ali Hamid Reza Hasani radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
> if you look at them carefully, you can see there is a bit problem! my > freeradius is read radgroupcheck before usergroup table, so it can't > recognize user's group name for radgroupcheck query! so it can't read > radgroupcheck attributes! > where is my fault? can I change it priority? It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup and radgroupcheck problem!
Hi, (Salam)
I'm using last version of freeradius. when my users are going to connect, I
see this message:
[sql] expand: %{User-Name} -> myuser
[sql] sql_set_user escaped user --> 'myuser'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = ''
ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM usergroup WHERE username =
'myuser' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'myuser' ORDER BY priority
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY 'myuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id
[sql] User found in group test
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'test' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
if you look at them carefully, you can see there is a bit problem! my
freeradius is read radgroupcheck before usergroup table, so it can't
recognize user's group name for radgroupcheck query! so it can't read
radgroupcheck attributes!
where is my fault? can I change it priority?
thanks
Ya Ali
Hamid Reza Hasani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: usergroup lookup if User-Profile is defined
Bjørn Mork writes:
> I am wondering if I'm the only one who finds the following default
> behaviour a bit confusing: Given a user defined like this:
>
> user1 Cleartext-Password := "foo", User-Profile := "profile1"
>
> I would expect "profile1" to always be looked up in the the usergroup
> table for this user. However, this won't happen if "user1" is defined
> in that table without Fall-Through. rlm_sql will lookup "user1" first
> and only lookup "profile1" if either "user1" is not found or
> Fall-Through is set vy the "user1" groups.
Some more information about what I'm trying to achieve. Maybe I'm doing
something very awkward and strange, and really should go another route.
Any hints are appreciated.
I have 2.6 million user accounts:
mysql> select count(distinct(username)) from radcheck;
+---+
| count(distinct(username)) |
+---+
| 2627686 |
+---+
1 row in set (7.41 sec)
Nearly all of these set User-Profile:
mysql> select count(*) from radcheck where attribute = 'User-Profile';
+--+
| count(*) |
+--+
| 2627522 |
+--+
1 row in set (2.19 sec)
The profiles represent a small number of common check and reply items
for one account class. There are only(?) 83 such distinct account types
at the moment:
mysql> select count(distinct(username)) from radusergroup;
+---+
| count(distinct(username)) |
+---+
|83 |
+---+
1 row in set (0.01 sec)
Most of the profiles have more than one entry in the radusergroup, to do
prioritized lookups like
user1NAS-Port-Type == xDSL
attribute1 = foo
user1NAS-Port-Type == Ethernet
attribute1 = bar
So the total number of entries in radusergroup is higher than the number
of profiles, giving an average of 4.7 group check lists per profile:
mysql> select count(*) from radusergroup;
+--+
| count(*) |
+--+
| 387 |
+--+
1 row in set (0.00 sec)
Now, I do realize that the original design is based on an assumption
that every user will have an individual entry in radusergroup, mapping
to every group check list for that user. I am trying to avoid that
because:
- I don't need it: There are only 83 distinct profiles, not 2.6 million
- mapping a user to a profile instead of a group list virtualizes the
knowlegde of the actual profile contents, thereby avoiding the need
for every script creating user account to do this mapping (there is
more than 1 such script...)
- the 2.6 million users would expand to approx. 12.3 million rows in
the usergroup tables, assuming an even distibution among the
profiles (real numbers are probably worse, as the most common
profiles also tend to be the most complex ones). The alternative is
2.6 million rows in the radcheck table, saving ~10 million rows...
- not adding users to radusergroup reduces the number of tables a
useradd script need to touch from 3 to 2. Remember again that each
such table will be shared among several writers, and therefore need
an "per row ownership" policy
But to be able to use the radusergroup as I want, I have one
requirement:
- "eviluser" should not gain access to anything by using "profile" as
username, even if "profile" sets a password (some profiles might be
meant for devices with a preprogrammed common password, where the
individiual user check list is doing the actual authentication based
on e.g. Calling-Station-Id)
and also some wishes:
- "profile1" should be both a valid username and profile name, where
the user very well could be mapped to "profile2"
- looking up the username in the radusergroup table is pointless, so
it should be avoided
- in particular, looking up a username not found in radcheck or which
failed the radcheck items should be avoided. It is guaranteed to be
pointless if the requirement above is fulfilled.
I think I can meet my requirement without any code changes by adding a
check item like this to every group referenced by "profilename":
User-Name != "profilename"
(maybe think a bit about case sensitivity here - doing case sensitive
lookups in the radusergroup table would solve that)
But AFAICS, my wishlist items would need a code change. My suggestion
would be something like this, of course defaulting to the existing
behaviour (concept for discussion only - not even build tested):
diff --git a/raddb/sql.conf b/raddb/sql.conf
index 690c3a2..631e7b5 100644
--- a/raddb/sql.conf
+++ b/raddb/sql.conf
@@ -66,6 +66,10 @@ sql {
# If set to 'no' th
rlm_sql: usergroup lookup if User-Profile is defined
Hello, I am wondering if I'm the only one who finds the following default behaviour a bit confusing: Given a user defined like this: user1 Cleartext-Password := "foo", User-Profile := "profile1" I would expect "profile1" to always be looked up in the the usergroup table for this user. However, this won't happen if "user1" is defined in that table without Fall-Through. rlm_sql will lookup "user1" first and only lookup "profile1" if either "user1" is not found or Fall-Through is set vy the "user1" groups. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Hi All, I have a few problem. i have freeradius version 1.0.5 running with rlm_sql. radcheck : username, attribute, op, value "test1","password","==","testpass" "test2","password","==","testpass" radreply : none radusergroup : "test1","HS1" "test2","HS2" "test2","HS1" radgroupcheck : groupname, attribute, op, value "HS1","Called-Station-Id","==","device1" "HS2","Called-Station-Id","==","device2" radgroupreply : groupname, attribute, op, value,prio "HS1","Framed-Pool","=","pool1",0 "HS2","Framed-Pool","=","pool2",0 the problem is user test1 and test2 can connect and get pool1 but user test2 can't connect and can't get pool2 i already use Fall-Through = Yes in radreply and radgroupreply, but it still not work. when i use freeradius 2.1.1, that setting is work. Does freeradius 1.0.5 doesn't support multiple group or something wrong with my setting? how many group that can be assigned to one user in freeradius 2.1.1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Many thanks... It is working now! :)
On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Carlos Eduardo Tavares Terra wrote:
>> Sorry, but maybe I didn't understand how virtual servers really work.
>
> raddb/sites-available/README
>
> Each virtual server is a RADIUS server, just like in 1.x. The only
> difference is that you don't need to run multiple processes to get
> multiple server configurations.
>> I have separated into different virtual servers because each type of
>> service have different modules implemented by me. In freeradius1 I was
>> using the groupreply 'Exec-Program-Wait' and different radius servers
>> for each service. In each server I have modified the sql querys
>
> i.e. in 1.x, you modified the SQL queries in the sql module
> configuration, for each server. i.e. you were running TWO different
> instances of the SQL module.
>
> I think the problem is that you're trying to use only ONE instance of
> the SQL module in 2.x. Instead, do this in the "modules" section:
>
> sql sql1 {
>... content from 1.x server1, INCLUDING queries
>}
>
> sql sql2 {
>... content from 1.x server2, INCLUDING queries
>}
>
> Then, use "sql1" in the virtual server for server1, and "sql2" in the
> virtual server for sql2.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote:
> Sorry, but maybe I didn't understand how virtual servers really work.
raddb/sites-available/README
Each virtual server is a RADIUS server, just like in 1.x. The only
difference is that you don't need to run multiple processes to get
multiple server configurations.
> I have separated into different virtual servers because each type of
> service have different modules implemented by me. In freeradius1 I was
> using the groupreply 'Exec-Program-Wait' and different radius servers
> for each service. In each server I have modified the sql querys
i.e. in 1.x, you modified the SQL queries in the sql module
configuration, for each server. i.e. you were running TWO different
instances of the SQL module.
I think the problem is that you're trying to use only ONE instance of
the SQL module in 2.x. Instead, do this in the "modules" section:
sql sql1 {
... content from 1.x server1, INCLUDING queries
}
sql sql2 {
... content from 1.x server2, INCLUDING queries
}
Then, use "sql1" in the virtual server for server1, and "sql2" in the
virtual server for sql2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work.
I have one big users base. The users can be in one or more groups.
User:John - Group:dialup
User:John - Group:broadband
User:Jack - Group:dialup
User:Jack - Group: hotspot
John and Jack are in my radcheck and radusergroup tables.
Username: John Username: Jack
Attribute: Password Attribute: Password
Op: := Op: :=
Value: crypt('test')Value: crypt('test2')
My nas clients are in database too.
nasname: 192.168.2.2nasname: 192.168.2.3
shortname: dialup-nas shortname: broadband-nas
type: cisco type: cisco
secret: secret-password secret: secret-password
server: dialup server: broadband
My problem is here:
expand: %{User-Name} -> John
rlm_sql (sql): sql_set_user escaped user --> 'John'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'John' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'John' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'John' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): User found in group dialup
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
John is connecting through broadband-nas, but freeradius is getting
dialup groupname and all its checks and replys.
Dialup and broadband has the same priority in radusergroup table.
I wish to 'force' something like 'dialup-nas'->'dialup group',
'broadband-nas'->'broadband group'.
Maybe I'm going through the wrong way.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys to get
only replys and checks for respectives groups (services).
How is the 'right' way to implement this scenario with freeradius 2?
Thank you for the help.
2008/9/6 <[EMAIL PROTECTED]>:
> No. You define virtual home servers in proxy.conf.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 6/9/2008, "Carlos Eduardo Tavares Terra" <[EMAIL PROTECTED]>
> piše:
>
>>Can I associate in groupcheck a groupname with a virtual server?
>>
>>I have separated each type of services into different virtual servers,
>>because each one of then has different modules.
>>
>>Thanks
>>
>>On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote:
>>> Radgroupcheck table.
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On
>>> Behalf Of Carlos Eduardo Tavares Terra
>>> Sent: 05 September 2008 02:42
>>> To: freeradius-users@lists.freeradius.org
>>> Subject: FreeRadius2 + MySQL: NAS x Usergroup
>>>
>>>
>>> Dear freeradius users,
>>>
>>>I have a special scenario. Today I have many freeradius servers, each
>>> one responsible for differente services.
>>>
>>> Now I want to group this freeradius servers into one master server, but I
>>> have users in many differente usergroups (one for each service).
>>> How can I associate an usergroup to a nas?
>>> Example:
>>> NAS (192.168.2.1) -> Usergroup (Dialup)
>>> NAS (192.168.2.2) -
Re: FreeRadius2 + MySQL: NAS x Usergroup
No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, "Carlos Eduardo Tavares Terra" <[EMAIL PROTECTED]> piše: >Can I associate in groupcheck a groupname with a virtual server? > >I have separated each type of services into different virtual servers, >because each one of then has different modules. > >Thanks > >On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: >> Radgroupcheck table. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of Carlos Eduardo Tavares Terra >> Sent: 05 September 2008 02:42 >> To: freeradius-users@lists.freeradius.org >> Subject: FreeRadius2 + MySQL: NAS x Usergroup >> >> >> Dear freeradius users, >> >>I have a special scenario. Today I have many freeradius servers, each >> one responsible for differente services. >> >> Now I want to group this freeradius servers into one master server, but I >> have users in many differente usergroups (one for each service). >> How can I associate an usergroup to a nas? >> Example: >> NAS (192.168.2.1) -> Usergroup (Dialup) >> NAS (192.168.2.2) -> Usergroup (Broadband) >> NAS (192.168.2.3) -> Usergroup (Hotspot) >> >> I saw how to do this using huntgroups, but I want to use a mysql database >> with all clients. >> >> There are another ways to implement this different services into one >> radius server, maybe the right way? If not, how can I associate the >> usergroups and nas using mysql? >> >> Thank you >> -- >> Carlos Eduardo Tavares Terra >> GNU/Linux #413291 [http://counter.li.org] >> Slackware Linux >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 >> 18:54 >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > >-- >Carlos Eduardo Tavares Terra >Analista de Sistemas >Petróleo Brasileiro S/A >GNU/Linux #413291 [http://counter.li.org] >Slackware Linux > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: > Radgroupcheck table. > > Ivan Kalik > Kalik Informatika ISP > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Carlos Eduardo Tavares Terra > Sent: 05 September 2008 02:42 > To: freeradius-users@lists.freeradius.org > Subject: FreeRadius2 + MySQL: NAS x Usergroup > > > Dear freeradius users, > >I have a special scenario. Today I have many freeradius servers, each > one responsible for differente services. > > Now I want to group this freeradius servers into one master server, but I > have users in many differente usergroups (one for each service). > How can I associate an usergroup to a nas? > Example: > NAS (192.168.2.1) -> Usergroup (Dialup) > NAS (192.168.2.2) -> Usergroup (Broadband) > NAS (192.168.2.3) -> Usergroup (Hotspot) > > I saw how to do this using huntgroups, but I want to use a mysql database > with all clients. > > There are another ways to implement this different services into one > radius server, maybe the right way? If not, how can I associate the > usergroups and nas using mysql? > > Thank you > -- > Carlos Eduardo Tavares Terra > GNU/Linux #413291 [http://counter.li.org] > Slackware Linux > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 > 18:54 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius2 + MySQL: NAS x Usergroup
Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) -> Usergroup (Dialup) NAS (192.168.2.2) -> Usergroup (Broadband) NAS (192.168.2.3) -> Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) -> Usergroup (Dialup) NAS (192.168.2.2) -> Usergroup (Broadband) NAS (192.168.2.3) -> Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas / usergroup?
Use huntgroups to group access servers. Then use Huntgroup-Name in radgroupcheck to restrict access. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, "Genis Pujol Hamelink" <[EMAIL PROTECTED]> piše: >Hello, > >I've been browsing the wiki looking for information on how to set up different >domains or authentication groups, but couldn't find how to link a nas to a >usergroup (is community in the nas table equivalent to GroupName?)... > >What I want is to define several groups and that only users in a group can >autenticate through a nas from that group. > > >regards, > >Genís > >La información de este correo electrónico es confidencial, personal e >intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. >Si usted lee este mensaje por equivocación, le informamos que está prohibida >su divulgación, uso o distribución, completos o parciales; le rogamos que lo >notifique inmediatamente al remitente y borre el mensaje original junto con >sus ficheros anexos sin leerlo ni grabarlo. >Gracias. >La informació d'aquest correu electrňnic és confidencial, personal i >intransferible, i només estŕ dirigida a l'adreça(ces) indicada(des). Si vostč >llegeix aquest missatge per error, l'informem que n'estŕ prohibida la >propagació, l'ús o la distribució, complets o parcials; li demanem que ho >notifiqui immediatament a la persona que li ha enviat i esborri el missatge >original amb les dades adjuntes sense llegir-lo ni desar-lo. >Grŕcies. >This e-mail contains confidential information. The information is intended for >exclusive use by the abovementioned recipient. If you have received this >e-mail in error, please notify us immediately to arrange for the confidential >information to be returned to us. We hereby inform you that it is strictly >prohibited to disclose, copy, distribute or take any action based on this >information. >Thank you. > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas / usergroup?
Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrònic és confidencial, personal i intransferible, i només està dirigida a l'adreça(ces) indicada(des). Si vostè llegeix aquest missatge per error, l'informem que n'està prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Gràcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
I’ve recently configured freeradius with sql support. I have it doing all the lookups fine. I was wondering thou, if there was any way to have radius use a default group, rather then having to create a second entry in the usergroup table. We’re simply using radius for authentication purposes, and no static ip or other info would need to be provided to radius. Thanks, Craig
