Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 7:51 PM, Subhani sk m wrote: > Thanks Fajar. > > In previous mail, "Push Policy" means Radius Attribute only. I am > using EAP-TLS and When a client sends a radius request with username > "user1" to radius server. In access accept I am able to see attributes > configured in users file being returned. > > In /etc/raddb/users file > user1 Cleartext-Password := "user1" > Tunnel-Type := 13, > Tunnel-Medium-Type := 6, > Tunnel-Private-Group-Id := "guest", > LVL7-Wireless-Client-Policy-Dn := "policy1", > > > > Similarly for a usergroup say "usergroup1" I should send radius > attributes.. Also with client Mac which can be seen in radius request as > calling station id. > > Can we do it from modifying config files instead of modifying sql database? Should be possible. Though I have never tried using group from users file, so you'd probably need to try it out yourself, or wait and see if others have better example/advice. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
Thanks Fajar. In previous mail, "Push Policy" means Radius Attribute only. I am using EAP-TLS and When a client sends a radius request with username "user1" to radius server. In access accept I am able to see attributes configured in users file being returned. In */etc/raddb/users* file *user1 Cleartext-Password := "user1"* * Tunnel-Type := 13, Tunnel-Medium-Type := 6, Tunnel-Private-Group-Id := "guest", * *LVL7-Wireless-Client-Policy-Dn := "policy1"*, Similarly for a usergroup say "usergroup1" I should send radius attributes.. Also with client Mac which can be seen in radius request as calling station id. Can we do it from modifying config files instead of modifying sql database? Regards, Subhani On Sun, Sep 30, 2012 at 4:35 PM, Fajar A. Nugraha wrote: > On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m > wrote: > > Hi, > > > > I am using free radius on Linux, Fedora 13. I am able to push policy > for a > > user.. I need help on two scenarios given below. > > > > 1.how to push policy for a specific usergroup from free radius sever > > > > Depends on what you mean by "push policy". If it's just "return some > radius attribute"), then if you use database, simply put it on > radgroupreply table. See the included documentation, or > http://wiki.freeradius.org/modules/Rlm_sql > > > 2. how to push a policy for a specific Calling-Station-ID like > > 00:16:6F:A2:XX:XX [ no user specific policy returned] > > Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m wrote: > Hi, > > I am using free radius on Linux, Fedora 13. I am able to push policy for a > user.. I need help on two scenarios given below. > > 1.how to push policy for a specific usergroup from free radius sever > Depends on what you mean by "push policy". If it's just "return some radius attribute"), then if you use database, simply put it on radgroupreply table. See the included documentation, or http://wiki.freeradius.org/modules/Rlm_sql > 2. how to push a policy for a specific Calling-Station-ID like > 00:16:6F:A2:XX:XX [ no user specific policy returned] Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pushing a policy for usergroup and calling station id from Free Radius Server
Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Thanks in advance. Regards, Subhani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: The simple solution here is to use the "instantiate" section of radiusd.conf. List "sql-acct" first, and "sql-auth" section. That way, the SQL-Group comparison will use the "sql-auth" module, and not the "sql-acct" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks that fixed the problem I would have thought it would have been the other way sql_auth before sql-acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Alan DeKok wrote: ... >> Let me guess... you have policies for accounting which use "SQL-Group"? >> > No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use "SQL-Group". That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the "instantiate" section of radiusd.conf. List "sql-acct" first, and "sql-auth" section. That way, the SQL-Group comparison will use the "sql-auth" module, and not the "sql-acct" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: Trey Scarborough wrote: All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. Exactly my problem and why I don't understand why it breaks the authorization radius reply attributes. which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. Let me guess... you have policies for accounting which use "SQL-Group"? No It breaks the Authentication when I add the Accounting configuration Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here is another more specific output from a debug It runs like this without the accounting configuration [sql-auth] sql_groupcmp [sql-auth] expand: %{User-Name} -> t...@testdomain.net [sql-auth] sql_set_user escaped user --> 't...@testdomain.net' rlm_sql (sql-auth): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='t...@testdomain.net' [sql-auth] sql_groupcmp finished: User is a member of group active rlm_sql (sql-auth): Released sql socket id: 3 Runs like this when I add the rad-acct to accounting. It appears to be using the sql-acct for the sql_groupcmp for some reason. [sql-auth] sql_groupcmp [sql-auth] expand: %{User-Name} -> t...@testdomain.net [sql-auth] sql_set_user escaped user --> 't...@testdomain.net' rlm_sql (sql-acct): Reserving sql socket id: 4 rlm_sql (sql-acct): Released sql socket id: 4 [sql-auth] sql_groupcmp finished: User is NOT a member of group active Any ideas as to why It would do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > All I am trying to do is run the radius auth querys on a database on one > machine and the accounting on another in another database. The problem I > am seeing is that when the additional sql configuration is put in for > the accounting database it begins to use that configuration for the > group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. > which is not in the accounting database and > fails. If I remove the sql-auth from the accounting configuration it > runs fine using the rad-auth sql configuration. Here is the exerts from > my configuration. I am trying to set some radreply items with sql and > some by the users file by group. This works fine until I try to seperate > the databases. Let me guess... you have policies for accounting which use "SQL-Group"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: Trey Scarborough wrote: Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. authorize { preprocess chap mschap suffix sql-auth files } accounting { detail radutmp sql-acct #works when this line is commented out } #sql.conf file sql sql-auth { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "radpass" radius_db = "radius" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" nas_table = "nas" deletestalesessions = no sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" # # Set to 'yes' to read radius clients from the database ('nas' table) readclients = yes } sql sql-acct { driver = "rlm_sql_mysql" server = "192.168.5.84" login = "radius" password = "radpass" radius_db = "radius-acct" acct_table1 = "radacct" acct_table2 = "radacct" accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" accounting_update_query = "UPDATE ${acct_table1} \ SET FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}'" accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessio
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Yes I am aware of how it is Documented I followed the documentation but > still is not functioning correctly. > > I have a configuration that is similar to as follows Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows sql sql1 { configuration for authentication database no accounting queries configured } sql sql2 { configuration for accounting database no authentication queries configured } #dose not work uses accounting sql2 for usergroup query authorize { sql1 files } accounting { detial sql } #configuration of groups works fine but I lose accounting sql uthorize { sql1 files } accounting { detial } Alan DeKok wrote: Trey Scarborough wrote: I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. read doc/rlm_sql, or the "rlm_sql" page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > I have to mysql configurations for one for my authentication request and > one for the accounting data. When it make a groupcheck query it is > always using the module for the accounting server is there anyway to > make this function correctly and have it use the configuration for the > authentication database. read doc/rlm_sql, or the "rlm_sql" page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup problems with separate auth and accounting databases
I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. Any Ideas of why this is happening Here some output while doing a request sql1 is the authentication DB and sql2 is the accounting rad_recv: Access-Request packet from host 127.0.0.1 port 2701, id=94, length=61 User-Name = "u...@domain.net" CHAP-Password = 0x000 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm "domain.net" for User-Name = "u...@domain.net" [suffix] No such realm "vortexmail.com" ++[suffix] returns noop [sql1] expand: %{User-Name} -> u...@domain.net [sql1] sql_set_user escaped user --> 'u...@domain.net' rlm_sql (sql1): Reserving sql socket id: 4 [sql1] expand: SELECT .. rlm_sql_mysql: query: SELECT ... [sql1] User found in radcheck table [sql1] expand: SELECT .. rlm_sql_mysql: query: SELECT ... [sql1] expand: SELECT ... rlm_sql_mysql: query: SELECT [sql1] expand: SELECT ... rlm_sql_mysql: query: SELECT .. [sql1] sql_groupcmp [sql1] expand: %{User-Name} -> u...@domain.net [sql1] sql_set_user escaped user --> 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 4 rlm_sql (sql2): Released sql socket id: 4 [sql1] sql_groupcmp finished: User is NOT a member of group active Invalid operator for item Sql-Group: reverting to '==' rlm_sql (sql1): Released sql socket id: 4 ++[sql1] returns ok [files] sql_groupcmp [files] expand: %{User-Name} -> u...@domain.net [files] sql_set_user escaped user --> 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 3 rlm_sql (sql2): Released sql socket id: 3 [files] sql_groupcmp finished: User is NOT a member of group active [files] sql_groupcmp [files] expand: %{User-Name} -> u...@domain.net [files] sql_set_user escaped user --> 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 2 rlm_sql (sql2): Released sql socket id: 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
Hi,(salaam) Thanks for your help, But I solved the problem and I changed the radgroupcheck query so it get groupname from usergroup table and then compare it! I think I have a better solution, isn't it? BTW thank for your help, please inform me if you know why this problem exist? is it a bug? Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
>>It looks like you have edited sql queries and mixed user and group >>queries. Post the part of the startup debug with sql initializing. > > >>Ivan Kalik >>Kalik Informatika ISP > > Thanks for your response, I attached full log. authorize_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" That should be authorize_group_check_query. authorize_group_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id" And that should be authorize_check_query. Swap them over. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
>It looks like you have edited sql queries and mixed user and group >queries. Post the part of the startup debug with sql initializing. >Ivan Kalik >Kalik Informatika ISP Thanks for your response, I attached full log. Ya Ali Hamid Reza Hasani radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
> if you look at them carefully, you can see there is a bit problem! my > freeradius is read radgroupcheck before usergroup table, so it can't > recognize user's group name for radgroupcheck query! so it can't read > radgroupcheck attributes! > where is my fault? can I change it priority? It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup and radgroupcheck problem!
Hi, (Salam) I'm using last version of freeradius. when my users are going to connect, I see this message: [sql] expand: %{User-Name} -> myuser [sql] sql_set_user escaped user --> 'myuser' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'myuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'myuser' ORDER BY priority [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id [sql] User found in group test [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop ++[expiration] returns noop ++[logintime] returns noop if you look at them carefully, you can see there is a bit problem! my freeradius is read radgroupcheck before usergroup table, so it can't recognize user's group name for radgroupcheck query! so it can't read radgroupcheck attributes! where is my fault? can I change it priority? thanks Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: usergroup lookup if User-Profile is defined
Bjørn Mork writes: > I am wondering if I'm the only one who finds the following default > behaviour a bit confusing: Given a user defined like this: > > user1 Cleartext-Password := "foo", User-Profile := "profile1" > > I would expect "profile1" to always be looked up in the the usergroup > table for this user. However, this won't happen if "user1" is defined > in that table without Fall-Through. rlm_sql will lookup "user1" first > and only lookup "profile1" if either "user1" is not found or > Fall-Through is set vy the "user1" groups. Some more information about what I'm trying to achieve. Maybe I'm doing something very awkward and strange, and really should go another route. Any hints are appreciated. I have 2.6 million user accounts: mysql> select count(distinct(username)) from radcheck; +---+ | count(distinct(username)) | +---+ | 2627686 | +---+ 1 row in set (7.41 sec) Nearly all of these set User-Profile: mysql> select count(*) from radcheck where attribute = 'User-Profile'; +--+ | count(*) | +--+ | 2627522 | +--+ 1 row in set (2.19 sec) The profiles represent a small number of common check and reply items for one account class. There are only(?) 83 such distinct account types at the moment: mysql> select count(distinct(username)) from radusergroup; +---+ | count(distinct(username)) | +---+ |83 | +---+ 1 row in set (0.01 sec) Most of the profiles have more than one entry in the radusergroup, to do prioritized lookups like user1NAS-Port-Type == xDSL attribute1 = foo user1NAS-Port-Type == Ethernet attribute1 = bar So the total number of entries in radusergroup is higher than the number of profiles, giving an average of 4.7 group check lists per profile: mysql> select count(*) from radusergroup; +--+ | count(*) | +--+ | 387 | +--+ 1 row in set (0.00 sec) Now, I do realize that the original design is based on an assumption that every user will have an individual entry in radusergroup, mapping to every group check list for that user. I am trying to avoid that because: - I don't need it: There are only 83 distinct profiles, not 2.6 million - mapping a user to a profile instead of a group list virtualizes the knowlegde of the actual profile contents, thereby avoiding the need for every script creating user account to do this mapping (there is more than 1 such script...) - the 2.6 million users would expand to approx. 12.3 million rows in the usergroup tables, assuming an even distibution among the profiles (real numbers are probably worse, as the most common profiles also tend to be the most complex ones). The alternative is 2.6 million rows in the radcheck table, saving ~10 million rows... - not adding users to radusergroup reduces the number of tables a useradd script need to touch from 3 to 2. Remember again that each such table will be shared among several writers, and therefore need an "per row ownership" policy But to be able to use the radusergroup as I want, I have one requirement: - "eviluser" should not gain access to anything by using "profile" as username, even if "profile" sets a password (some profiles might be meant for devices with a preprogrammed common password, where the individiual user check list is doing the actual authentication based on e.g. Calling-Station-Id) and also some wishes: - "profile1" should be both a valid username and profile name, where the user very well could be mapped to "profile2" - looking up the username in the radusergroup table is pointless, so it should be avoided - in particular, looking up a username not found in radcheck or which failed the radcheck items should be avoided. It is guaranteed to be pointless if the requirement above is fulfilled. I think I can meet my requirement without any code changes by adding a check item like this to every group referenced by "profilename": User-Name != "profilename" (maybe think a bit about case sensitivity here - doing case sensitive lookups in the radusergroup table would solve that) But AFAICS, my wishlist items would need a code change. My suggestion would be something like this, of course defaulting to the existing behaviour (concept for discussion only - not even build tested): diff --git a/raddb/sql.conf b/raddb/sql.conf index 690c3a2..631e7b5 100644 --- a/raddb/sql.conf +++ b/raddb/sql.conf @@ -66,6 +66,10 @@ sql { # If set to 'no' th
rlm_sql: usergroup lookup if User-Profile is defined
Hello, I am wondering if I'm the only one who finds the following default behaviour a bit confusing: Given a user defined like this: user1 Cleartext-Password := "foo", User-Profile := "profile1" I would expect "profile1" to always be looked up in the the usergroup table for this user. However, this won't happen if "user1" is defined in that table without Fall-Through. rlm_sql will lookup "user1" first and only lookup "profile1" if either "user1" is not found or Fall-Through is set vy the "user1" groups. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Hi All, I have a few problem. i have freeradius version 1.0.5 running with rlm_sql. radcheck : username, attribute, op, value "test1","password","==","testpass" "test2","password","==","testpass" radreply : none radusergroup : "test1","HS1" "test2","HS2" "test2","HS1" radgroupcheck : groupname, attribute, op, value "HS1","Called-Station-Id","==","device1" "HS2","Called-Station-Id","==","device2" radgroupreply : groupname, attribute, op, value,prio "HS1","Framed-Pool","=","pool1",0 "HS2","Framed-Pool","=","pool2",0 the problem is user test1 and test2 can connect and get pool1 but user test2 can't connect and can't get pool2 i already use Fall-Through = Yes in radreply and radgroupreply, but it still not work. when i use freeradius 2.1.1, that setting is work. Does freeradius 1.0.5 doesn't support multiple group or something wrong with my setting? how many group that can be assigned to one user in freeradius 2.1.1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Many thanks... It is working now! :) On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Carlos Eduardo Tavares Terra wrote: >> Sorry, but maybe I didn't understand how virtual servers really work. > > raddb/sites-available/README > > Each virtual server is a RADIUS server, just like in 1.x. The only > difference is that you don't need to run multiple processes to get > multiple server configurations. >> I have separated into different virtual servers because each type of >> service have different modules implemented by me. In freeradius1 I was >> using the groupreply 'Exec-Program-Wait' and different radius servers >> for each service. In each server I have modified the sql querys > > i.e. in 1.x, you modified the SQL queries in the sql module > configuration, for each server. i.e. you were running TWO different > instances of the SQL module. > > I think the problem is that you're trying to use only ONE instance of > the SQL module in 2.x. Instead, do this in the "modules" section: > > sql sql1 { >... content from 1.x server1, INCLUDING queries >} > > sql sql2 { >... content from 1.x server2, INCLUDING queries >} > > Then, use "sql1" in the virtual server for server1, and "sql2" in the > virtual server for sql2. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote: > Sorry, but maybe I didn't understand how virtual servers really work. raddb/sites-available/README Each virtual server is a RADIUS server, just like in 1.x. The only difference is that you don't need to run multiple processes to get multiple server configurations. > I have separated into different virtual servers because each type of > service have different modules implemented by me. In freeradius1 I was > using the groupreply 'Exec-Program-Wait' and different radius servers > for each service. In each server I have modified the sql querys i.e. in 1.x, you modified the SQL queries in the sql module configuration, for each server. i.e. you were running TWO different instances of the SQL module. I think the problem is that you're trying to use only ONE instance of the SQL module in 2.x. Instead, do this in the "modules" section: sql sql1 { ... content from 1.x server1, INCLUDING queries } sql sql2 { ... content from 1.x server2, INCLUDING queries } Then, use "sql1" in the virtual server for server1, and "sql2" in the virtual server for sql2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work. I have one big users base. The users can be in one or more groups. User:John - Group:dialup User:John - Group:broadband User:Jack - Group:dialup User:Jack - Group: hotspot John and Jack are in my radcheck and radusergroup tables. Username: John Username: Jack Attribute: Password Attribute: Password Op: := Op: := Value: crypt('test')Value: crypt('test2') My nas clients are in database too. nasname: 192.168.2.2nasname: 192.168.2.3 shortname: dialup-nas shortname: broadband-nas type: cisco type: cisco secret: secret-password secret: secret-password server: dialup server: broadband My problem is here: expand: %{User-Name} -> John rlm_sql (sql): sql_set_user escaped user --> 'John' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'John' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): User found in group dialup expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): Released sql socket id: 2 John is connecting through broadband-nas, but freeradius is getting dialup groupname and all its checks and replys. Dialup and broadband has the same priority in radusergroup table. I wish to 'force' something like 'dialup-nas'->'dialup group', 'broadband-nas'->'broadband group'. Maybe I'm going through the wrong way. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys to get only replys and checks for respectives groups (services). How is the 'right' way to implement this scenario with freeradius 2? Thank you for the help. 2008/9/6 <[EMAIL PROTECTED]>: > No. You define virtual home servers in proxy.conf. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 6/9/2008, "Carlos Eduardo Tavares Terra" <[EMAIL PROTECTED]> > piše: > >>Can I associate in groupcheck a groupname with a virtual server? >> >>I have separated each type of services into different virtual servers, >>because each one of then has different modules. >> >>Thanks >> >>On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: >>> Radgroupcheck table. >>> >>> Ivan Kalik >>> Kalik Informatika ISP >>> >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On >>> Behalf Of Carlos Eduardo Tavares Terra >>> Sent: 05 September 2008 02:42 >>> To: freeradius-users@lists.freeradius.org >>> Subject: FreeRadius2 + MySQL: NAS x Usergroup >>> >>> >>> Dear freeradius users, >>> >>>I have a special scenario. Today I have many freeradius servers, each >>> one responsible for differente services. >>> >>> Now I want to group this freeradius servers into one master server, but I >>> have users in many differente usergroups (one for each service). >>> How can I associate an usergroup to a nas? >>> Example: >>> NAS (192.168.2.1) -> Usergroup (Dialup) >>> NAS (192.168.2.2) -
Re: FreeRadius2 + MySQL: NAS x Usergroup
No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, "Carlos Eduardo Tavares Terra" <[EMAIL PROTECTED]> piše: >Can I associate in groupcheck a groupname with a virtual server? > >I have separated each type of services into different virtual servers, >because each one of then has different modules. > >Thanks > >On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: >> Radgroupcheck table. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of Carlos Eduardo Tavares Terra >> Sent: 05 September 2008 02:42 >> To: freeradius-users@lists.freeradius.org >> Subject: FreeRadius2 + MySQL: NAS x Usergroup >> >> >> Dear freeradius users, >> >>I have a special scenario. Today I have many freeradius servers, each >> one responsible for differente services. >> >> Now I want to group this freeradius servers into one master server, but I >> have users in many differente usergroups (one for each service). >> How can I associate an usergroup to a nas? >> Example: >> NAS (192.168.2.1) -> Usergroup (Dialup) >> NAS (192.168.2.2) -> Usergroup (Broadband) >> NAS (192.168.2.3) -> Usergroup (Hotspot) >> >> I saw how to do this using huntgroups, but I want to use a mysql database >> with all clients. >> >> There are another ways to implement this different services into one >> radius server, maybe the right way? If not, how can I associate the >> usergroups and nas using mysql? >> >> Thank you >> -- >> Carlos Eduardo Tavares Terra >> GNU/Linux #413291 [http://counter.li.org] >> Slackware Linux >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 >> 18:54 >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > >-- >Carlos Eduardo Tavares Terra >Analista de Sistemas >Petróleo Brasileiro S/A >GNU/Linux #413291 [http://counter.li.org] >Slackware Linux > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: > Radgroupcheck table. > > Ivan Kalik > Kalik Informatika ISP > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Carlos Eduardo Tavares Terra > Sent: 05 September 2008 02:42 > To: freeradius-users@lists.freeradius.org > Subject: FreeRadius2 + MySQL: NAS x Usergroup > > > Dear freeradius users, > >I have a special scenario. Today I have many freeradius servers, each > one responsible for differente services. > > Now I want to group this freeradius servers into one master server, but I > have users in many differente usergroups (one for each service). > How can I associate an usergroup to a nas? > Example: > NAS (192.168.2.1) -> Usergroup (Dialup) > NAS (192.168.2.2) -> Usergroup (Broadband) > NAS (192.168.2.3) -> Usergroup (Hotspot) > > I saw how to do this using huntgroups, but I want to use a mysql database > with all clients. > > There are another ways to implement this different services into one > radius server, maybe the right way? If not, how can I associate the > usergroups and nas using mysql? > > Thank you > -- > Carlos Eduardo Tavares Terra > GNU/Linux #413291 [http://counter.li.org] > Slackware Linux > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 > 18:54 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius2 + MySQL: NAS x Usergroup
Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) -> Usergroup (Dialup) NAS (192.168.2.2) -> Usergroup (Broadband) NAS (192.168.2.3) -> Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) -> Usergroup (Dialup) NAS (192.168.2.2) -> Usergroup (Broadband) NAS (192.168.2.3) -> Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas / usergroup?
Use huntgroups to group access servers. Then use Huntgroup-Name in radgroupcheck to restrict access. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, "Genis Pujol Hamelink" <[EMAIL PROTECTED]> piše: >Hello, > >I've been browsing the wiki looking for information on how to set up different >domains or authentication groups, but couldn't find how to link a nas to a >usergroup (is community in the nas table equivalent to GroupName?)... > >What I want is to define several groups and that only users in a group can >autenticate through a nas from that group. > > >regards, > >Genís > >La información de este correo electrónico es confidencial, personal e >intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. >Si usted lee este mensaje por equivocación, le informamos que está prohibida >su divulgación, uso o distribución, completos o parciales; le rogamos que lo >notifique inmediatamente al remitente y borre el mensaje original junto con >sus ficheros anexos sin leerlo ni grabarlo. >Gracias. >La informació d'aquest correu electrňnic és confidencial, personal i >intransferible, i només estŕ dirigida a l'adreça(ces) indicada(des). Si vostč >llegeix aquest missatge per error, l'informem que n'estŕ prohibida la >propagació, l'ús o la distribució, complets o parcials; li demanem que ho >notifiqui immediatament a la persona que li ha enviat i esborri el missatge >original amb les dades adjuntes sense llegir-lo ni desar-lo. >Grŕcies. >This e-mail contains confidential information. The information is intended for >exclusive use by the abovementioned recipient. If you have received this >e-mail in error, please notify us immediately to arrange for the confidential >information to be returned to us. We hereby inform you that it is strictly >prohibited to disclose, copy, distribute or take any action based on this >information. >Thank you. > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas / usergroup?
Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrònic és confidencial, personal i intransferible, i només està dirigida a l'adreça(ces) indicada(des). Si vostè llegeix aquest missatge per error, l'informem que n'està prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Gràcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
I’ve recently configured freeradius with sql support. I have it doing all the lookups fine. I was wondering thou, if there was any way to have radius use a default group, rather then having to create a second entry in the usergroup table. We’re simply using radius for authentication purposes, and no static ip or other info would need to be provided to radius. Thanks, Craig