Re: Authenticate/Attributes based on NAS-IP-Address - SOLVED
Ok, so here's what I did to solve this problem. I'm posting this just
for anyone out there searching the Archives that needs something like my
situation. I did a lot of reading, and a lot of re-reading, and finally
the lightbulb over my head clicked on! I read Mike's previous post
several times over and over, and finally understand it:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.html
My goal as stated before:
Basically if a user logs in through NAS1, they are assigned X attributes
with *dynamic* IP, if they log in through NAS2, they are assigned Y
attributes with a *static* IP. And all this needs to be done in MySQL,
that way my own PHP frontend(which I intend to release GPL) can work
with it. Also I think MySQL scales better.
1) Create a new field (column) in the radreply, radgroupcheck, and
radgroupreply tables. You could name this column anything you want, but
following Mikes earlier post, mine is set up at "HuntGroup". The name is
insignificant, it is merely a reference, but you should make sure that
it stays the same throughout this.
2) Modify sql.conf and change the following:
authorize_group_check_query
authorize_group_reply_query
authorize_reply_query
Make them the following:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName AND
(${groupcheck_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${groupcheck_table}.HuntGroup IS NULL) ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND
(${groupreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${groupreply_table}.HuntGroup IS NULL) ORDER BY ${groupreply_table}.id"
authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' AND
(${authreply_table}.HuntGroup = '%{request:Client-IP-Address}' OR
${authreply_table}.HuntGroup = '' OR ${authreply_table}.HuntGroup IS
NULL) ORDER BY id"
Note that where it says ".HuntGroup" this is where you would change the
name depending on what you call your field in #1. Also, where it says
"%{request:Client-IP-Address}" this is going to be the attribute you are
checking against. Originally I had it set to "NAS-IP-Address" as I was
checking the NAS to determine what to reply with.Graeme pointed out that
Client-IP is more secure, as NAS-IP can be spoofed.
3) Now insert into the various tables for testing. I assume here that
you already have groups set up. I have two groups, Wireless and Dial-Up.
In radgroupcheck:
id GroupName Attribute op Value
HuntGroup
132 Wireless Auth-Type == Local
68.190.182.200
134 Dial-UpAuth-Type == Local
63.151.182.3
135 Dial-UpAuth-Type == Reject
68.190.182.200
We need the reject under Dial-Up so that it doesn't reply with Dial-Up
attributes coming from that NAS(IP). Someone correct me if that is
wrong, perhaps that isn't needed?
In radgroupreply:
133 WirelessService-Type := Framed-User
0 68.190.182.200
132 Wireless Framed-Compression := Stac-LZS
0 68.190.182.200
131 Wireless Framed-MTU := 1480
0 68.190.182.200
130 Wireless Framed-IP-Netmask := 255.255.255.255
0 68.190.182.200
129 Wireless Framed-IP-Address:= 255.255.255.254
0 68.190.182.200
128 Wireless Framed-Protocol := PPP
0 68.190.182.200
134 Wireless Session-Timeout := 14400
0 68.190.182.200
135 Wireless Idle-Timeout:= 600
0 68.190.182.200
136 Wireless Port-Limit:= 2
0 68.190.182.200
In radreply:
171 testaccount Framed-IP-Address := 192.168.3.5
68.190.182.200
4) I put the user "testaccount" into both the Dial-Up and Wireless
groups. Now, if I run a test (I use NTRadPing) from anything other than
68.190.182.200, it replies with the attributes for Dial-Up. If I run a
te
Re: Authenticate/Attributes based on NAS-IP-Address
Hiya, Use Client-IP rather than NAS-IP as NAS-IP can be spoofed. Graeme On Wed, 2005-06-08 at 15:30 -0700, N White wrote: > Graeme Hinchliffe wrote: > > >Hiya > > perhaps you could do it using huntgroups. > > > > Put the static attributes for the user in the radreply table, then > >assign each nas to a huntgroup, so say > > > >NAS-dynamic > > > > Then in radgroupreply you put the attributes for for dynamic IP > >assignment on the NAS-dynamic, and ensure there is an attribute to > >override the static settings. > > > >not 100% about the overriding of the static IP settings, but would think > >it possible using the assignment ( := ) operator and possibly a null > >value? > > > >Hope thats of some help. > > > > > Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in > huntgroups file: > > Wireless NAS-IP-Address = (the IP of the Wireless NAS) > Autz-Type = SQL1 (modify radiusd.conf to include > this, and sql.conf like in Mike's post?) > NAS-dynamic NAS-IP-Address = (ip of dialup NAS) > NAS-IP-Address = (ip of isdn NAS) > > in radgroupreply: > > +-+++-+---+ > | GroupName | Attribute | op | Value | HuntGroup | > +-+++-+---+ > | Wireless | Service-Type | = | Framed-User | Wireless | > | Wireless | Framed-Protocol| = | PPP | Wireless | > | Wireless | Framed-IP-Address | = | 255.255.255.254 | Wireless | > | Wireless | Framed-IP-Netmask | = | 255.255.255.255 | Wireless | > | Wireless | Framed-Compression | = | Van-Jacobson-TCP-IP | Wireless | > +-+++-+---+ > All Other users would go into the Dial-Up Group, which would have a HuntGroup > of NAS-dynamic? > > in radreply: > > +---+---+-+---+ > | UserName | Attribute | op | Value | > +---+---+-+---+ > | test123 | Framed-IP-Address | := | 192.168.2.10 | > +---+---+-+---+ > > Now in radgroupcheck do I need a NAS-IP-Address check for each group(or > the wireless group?)? > Thanks for everyone's help. > > -Nick > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Graeme Hinchliffe (BSc) Core Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
> That link doesn't give me anything. Page Not Found. I've done a lot of > searching through the archives though and haven't really found anything > like this. Did you add the "tml" back into the URL? >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h >> tml _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Graeme Hinchliffe wrote: Hiya perhaps you could do it using huntgroups. Put the static attributes for the user in the radreply table, then assign each nas to a huntgroup, so say NAS-dynamic Then in radgroupreply you put the attributes for for dynamic IP assignment on the NAS-dynamic, and ensure there is an attribute to override the static settings. not 100% about the overriding of the static IP settings, but would think it possible using the assignment ( := ) operator and possibly a null value? Hope thats of some help. Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in huntgroups file: Wireless NAS-IP-Address = (the IP of the Wireless NAS) Autz-Type = SQL1 (modify radiusd.conf to include this, and sql.conf like in Mike's post?) NAS-dynamic NAS-IP-Address = (ip of dialup NAS) NAS-IP-Address = (ip of isdn NAS) in radgroupreply: +-+++-+---+ | GroupName | Attribute | op | Value | HuntGroup | +-+++-+---+ | Wireless | Service-Type | = | Framed-User | Wireless | | Wireless | Framed-Protocol| = | PPP | Wireless | | Wireless | Framed-IP-Address | = | 255.255.255.254 | Wireless | | Wireless | Framed-IP-Netmask | = | 255.255.255.255 | Wireless | | Wireless | Framed-Compression | = | Van-Jacobson-TCP-IP | Wireless | +-+++-+---+ All Other users would go into the Dial-Up Group, which would have a HuntGroup of NAS-dynamic? in radreply: +---+---+-+---+ | UserName | Attribute | op | Value | +---+---+-+---+ | test123 | Framed-IP-Address | := | 192.168.2.10 | +---+---+-+---+ Now in radgroupcheck do I need a NAS-IP-Address check for each group(or the wireless group?)? Thanks for everyone's help. -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Zoltan A. Ori wrote: On Wednesday 08 June 2005 15:54, N White wrote: That link doesn't give me anything. Page Not Found. I've done a lot of searching through the archives though and haven't really found anything like this. -Nick Mike Lampson wrote: Nick, http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842 .html Pay attention to details. Take note that the the link wraps. You can't just blindly click it. You'll have to enter the .html manually. The link is good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1134 (20050608) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Already taken care of. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
On Wednesday 08 June 2005 15:54, N White wrote: > That link doesn't give me anything. Page Not Found. I've done a lot of > searching through the archives though and haven't really found anything > like this. > > -Nick > > Mike Lampson wrote: > >Nick, > > > > > >http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842 > >.html > > Pay attention to details. Take note that the the link wraps. You can't just blindly click it. You'll have to enter the .html manually. The link is good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
nevermind, i added "tml" to it. haha. -Nick N White wrote: That link doesn't give me anything. Page Not Found. I've done a lot of searching through the archives though and haven't really found anything like this. -Nick Mike Lampson wrote: Nick, Extend the MySQL schema and change the SQL queries in sql.conf to do what you want. You could extend by HuntGroup, NAS-IP, Client-IP, whatever. See my previous post to this list archived here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h tml Cheers, _Mike -Original Message- Message: 6 Date: Tue, 07 Jun 2005 19:20:28 -0700 From: N White <[EMAIL PROTECTED]> Subject: Re: Authenticate/Attributes based on NAS-IP-Address To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1133 (20050608) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
That link doesn't give me anything. Page Not Found. I've done a lot of searching through the archives though and haven't really found anything like this. -Nick Mike Lampson wrote: Nick, Extend the MySQL schema and change the SQL queries in sql.conf to do what you want. You could extend by HuntGroup, NAS-IP, Client-IP, whatever. See my previous post to this list archived here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h tml Cheers, _Mike -Original Message- Message: 6 Date: Tue, 07 Jun 2005 19:20:28 -0700 From: N White <[EMAIL PROTECTED]> Subject: Re: Authenticate/Attributes based on NAS-IP-Address To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1133 (20050608) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Jeff Green wrote: Hi Nick, I've modified FreeRadius to retrieve NAS specific reply items from a (Postgresql) table as I have three different NAS h/w that users can connect using - they have different IP pools. Is this similar to what you want to do ? Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of N White Sent: 07 June 2005 22:29 To: FreeRadius users mailing list Subject: Authenticate/Attributes based on NAS-IP-Address Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Allow requests from NAS1 to authenticate and have certain attributes for users in that group and then allow requests from NAS2 to authenticate and have different attributes. Would there be anyway to allow a user to be a part of both groups? Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1133 (20050608) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Here's my other post: Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Nick, Extend the MySQL schema and change the SQL queries in sql.conf to do what you want. You could extend by HuntGroup, NAS-IP, Client-IP, whatever. See my previous post to this list archived here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h tml Cheers, _Mike -Original Message- Message: 6 Date: Tue, 07 Jun 2005 19:20:28 -0700 From: N White <[EMAIL PROTECTED]> Subject: Re: Authenticate/Attributes based on NAS-IP-Address To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate/Attributes based on NAS-IP-Address
Hi Nick, I've modified FreeRadius to retrieve NAS specific reply items from a (Postgresql) table as I have three different NAS h/w that users can connect using - they have different IP pools. Is this similar to what you want to do ? Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of N White Sent: 07 June 2005 22:29 To: FreeRadius users mailing list Subject: Authenticate/Attributes based on NAS-IP-Address Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Allow requests from NAS1 to authenticate and have certain attributes for users in that group and then allow requests from NAS2 to authenticate and have different attributes. Would there be anyway to allow a user to be a part of both groups? Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Hiya perhaps you could do it using huntgroups. Put the static attributes for the user in the radreply table, then assign each nas to a huntgroup, so say NAS-dynamic Then in radgroupreply you put the attributes for for dynamic IP assignment on the NAS-dynamic, and ensure there is an attribute to override the static settings. not 100% about the overriding of the static IP settings, but would think it possible using the assignment ( := ) operator and possibly a null value? Hope thats of some help. -- - Graeme Hinchliffe (BSc) Core Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Dustin Doris wrote:
On Tue, 7 Jun 2005, N White wrote:
Well, thanks for the input. With MySQL, 1500 users is easier to
maintain. Perhaps I should just run a second FreeRADIUS server for the
second NAS. It means more equipment, but whatever it takes.
-Nick
You don't need to do that, you can do it with SQL in one server. First,
work on reading the documentation and installing the server and setting up
mysql for authorization. Once you've got that down, then move on to the
reply values and groups if you want them.
Alan gave you a good start with the users file entries. Read man 5 users,
that will tell you about the users file. You'll take that info and
transfer it to sql.
It would look something like this.
users file only format
bob NAS-IP-Address == foo, Pool-Name := "foo"
bob NAS-IP-Address == bar
Framed-IP-Address := 1.2.3.4
SQL Format.
in the users file
DEFAULT NAS-IP-Address == foo, Pool-Name := "foo"
This says any user from that nas-ip will have Pool-Name set to foo. That
is what ippool will use to assign ips.
in radiusd.conf, in your ip_pool section be sure to include.
override = no
That makes it so a dynamic ip from ippool will not override one statically
assigned to the user as a reply value.
In sql in the radcheck table you put your users and their passwords. In
radreply you put the users and their static ip.
for example,
insert into radcheck (username,attribute,value,op) VALUES
('bob','User-Password','bobspassword','==');
insert into radreply (username,attribute,value,op) VALUES
('bob','Framed-IP-Address','1.1.1.1',':='),
('bob','Framed-IP-Netmask','255.255.255.0',':=');
That should give you a good start. Get it setup and if you run into
problems post radiusd -X to the list and describe what you are trying to
do.
You can add groups into if you want but right now you probably won't need
it.
Hope that is helpful.
Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__ NOD32 1.1132 (20050607) Information __
This message was checked by NOD32 antivirus system.
http://www.eset.com
Actually I already have two running FreeRADIUS servers with SQL. That
isn't the hard part. The problem with your instructions is that I'm not
using ippool to assign dynamic IPs, our NASes are doing that (Portmaster
2/3). I don't have a problem setting up static IPs either, as we have
several Dial-Up users who need those also. The problem lies in that I
want to use the RADIUS server for PPPoE authentication also. But I want
to allow users who log in through PPPoE to also be able to log in
regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log
in through PPPoE, I want them to be assigned a static IP, when they
login via Portmasters/Dial-Up, then they don't get the static IP, they
get a regular dynamic one.
Basically if a user logs in through NAS1, they are assigned X attributes
with dynamic IP, if they log in through NAS2, they are assigned Y
attributes with a static IP. And all this needs to be done in MySQL,
that way my own PHP frontend(which I intend to release GPL) can work
with it. Also I think MySQL scales better.
-Nick
--
| Nick White |
| Network Consultant |
| http://www.edge9.net |
| [EMAIL PROTECTED] |
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
On Tue, 7 Jun 2005, N White wrote:
> Well, thanks for the input. With MySQL, 1500 users is easier to
> maintain. Perhaps I should just run a second FreeRADIUS server for the
> second NAS. It means more equipment, but whatever it takes.
>
> -Nick
You don't need to do that, you can do it with SQL in one server. First,
work on reading the documentation and installing the server and setting up
mysql for authorization. Once you've got that down, then move on to the
reply values and groups if you want them.
Alan gave you a good start with the users file entries. Read man 5 users,
that will tell you about the users file. You'll take that info and
transfer it to sql.
It would look something like this.
users file only format
bob NAS-IP-Address == foo, Pool-Name := "foo"
bob NAS-IP-Address == bar
Framed-IP-Address := 1.2.3.4
SQL Format.
in the users file
DEFAULT NAS-IP-Address == foo, Pool-Name := "foo"
This says any user from that nas-ip will have Pool-Name set to foo. That
is what ippool will use to assign ips.
in radiusd.conf, in your ip_pool section be sure to include.
override = no
That makes it so a dynamic ip from ippool will not override one statically
assigned to the user as a reply value.
In sql in the radcheck table you put your users and their passwords. In
radreply you put the users and their static ip.
for example,
insert into radcheck (username,attribute,value,op) VALUES
('bob','User-Password','bobspassword','==');
insert into radreply (username,attribute,value,op) VALUES
('bob','Framed-IP-Address','1.1.1.1',':='),
('bob','Framed-IP-Netmask','255.255.255.0',':=');
That should give you a good start. Get it setup and if you run into
problems post radiusd -X to the list and describe what you are trying to
do.
You can add groups into if you want but right now you probably won't need
it.
Hope that is helpful.
Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Alan DeKok wrote: N White <[EMAIL PROTECTED]> wrote: Yeah, but I want to use MySQL, not the users file. I don't use MySQL, sorry. If you want someone to give you the exact answer you're looking for, I suggest you hire a contracter. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Well, thanks for the input. With MySQL, 1500 users is easier to maintain. Perhaps I should just run a second FreeRADIUS server for the second NAS. It means more equipment, but whatever it takes. -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
N White <[EMAIL PROTECTED]> wrote: > Yeah, but I want to use MySQL, not the users file. I don't use MySQL, sorry. If you want someone to give you the exact answer you're looking for, I suggest you hire a contracter. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Alan DeKok wrote: N White <[EMAIL PROTECTED]> wrote: Ok, so is it possible for them to be a part of two groups? The reason I ask is that if a customer logs in through NAS1, I want them to be assigned a dynamic IP, if they are logged in from NAS2, I want them to be assigned a static IP. Is this possible? Sure, but it's not really a "group". In the "users" file, you can do: bob NAS-IP-Address == foo, Pool-Name := "foo" bob NAS-IP-Address == bar Framed-IP-Address := 1.2.3.4 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Yeah, but I want to use MySQL, not the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
N White <[EMAIL PROTECTED]> wrote: > Ok, so is it possible for them to be a part of two groups? The reason I > ask is that if a customer logs in through NAS1, I want them to be > assigned a dynamic IP, if they are logged in from NAS2, I want them to > be assigned a static IP. Is this possible? Sure, but it's not really a "group". In the "users" file, you can do: bob NAS-IP-Address == foo, Pool-Name := "foo" bob NAS-IP-Address == bar Framed-IP-Address := 1.2.3.4 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Alan DeKok wrote: N White <[EMAIL PROTECTED]> wrote: Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Yes. Use it as a check item, like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1132 (20050607) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Ok, so is it possible for them to be a part of two groups? The reason I ask is that if a customer logs in through NAS1, I want them to be assigned a dynamic IP, if they are logged in from NAS2, I want them to be assigned a static IP. Is this possible? I guess two groups may not even play a role in a statically assigned IP. Thanks -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
N White <[EMAIL PROTECTED]> wrote: > Using MySQL as a backend, is there any way to configure Authentication > and Attribute (replies), based on the NAS-IP-Address sent to the > FreeRADIUS server? Yes. Use it as a check item, like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate/Attributes based on NAS-IP-Address
Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Allow requests from NAS1 to authenticate and have certain attributes for users in that group and then allow requests from NAS2 to authenticate and have different attributes. Would there be anyway to allow a user to be a part of both groups? Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
