RE: Freeradius-Users Digest, Vol 55, Issue 113

2009-11-25 Thread tnt 
>> You *can* have multiple entries (rows) for each user. You don't have to
>> cram everything into a single row.
>
> Okay, but I don´t think it makes any sense that you have multiple inputs
> of the same user in a table?

It doesn't make sense - to you. Everybody else is quite OK with that. You
evidently don't know much about databases: relations can be one to one,
one to many, many to many, ... Find a book and learn something about
things before you express views about what does and what doesn't make
sense.

> Say for example that you have like 200 different users and every user have
> to have like 3 different attributes. The table would get extremly large.

Please! What you are describing is laughably small.

>  What I want to do is to through MySQL link a user to a specific group and
> in that way start up the segmentation. So depending on what group you are
> a member in you get into different VLANs etc. That´s why I hoped that I
> could use "radusergroup" to link a user to a group and then in
> "radgroupcheck" add group specific attributes like NAS-Port-Id´s or
> Called-Station-Id´s and in that way being able to do a segmentation on
> SSID or WLAN.

You can use it for that. In your last post you were asking if the user
that doesn't match any group will be rejected. That won't happen. User
will still get authenticated (using data from radcheck) and since he will
have no VLAN information in the reply NAS will most likely place him in a
default VLAN.

> What I need is a GUI where you can search for a specific group and add a
> new user or edit a user in that group.
> I really dont want to see a list of all the users there is and then have
> to search through 200 users to find the one i wish to edit.
> So is it possible with dialupadmin to add a user and link that user to a
> group so you can only list that groups users?
> Also is it possible in anyway to make group specific attributes so I wont
> have to add SSID restrictions on user level?
>
> I have seen in the source of Freeradius that dialup admin comes with it.
> I´ve started to think about testing it.
> So do I need to build dialupadmin in the same way I did with OpenSSL and
> FreeRadius or did it get installed at the same time as I installed
> Freeradius?
> Also is there anywhere I can read about how to link dialup admin to MySQL
> etc.?

Start with README file in dialup_admin directory and:

http://freeradius.org/dialupadmin.html

That should answer most of your questions.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius-Users Digest, Vol 55, Issue 113

2009-11-25 Thread Peter Carlstedt 


> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> 
> --
> 
> Message: 2
> Date: Tue, 24 Nov 2009 19:35:17 - (UTC)
> From: t...@kalik.net
> Subject: Re: The MySQL databases for Freeradius
> To: "FreeRadius users mailing list"
>   
> Message-ID: <64909.87.194.16.13.1259091317.squir...@www.kalik.net>
> Content-Type: text/plain;charset=iso-8859-1
> 
> > I am sitting here trying to figure out how FreeRadius works towards MySQL.
> >
> > The database "radcheck" is for a singeluser if I have understood it
> > correctly.
> >
> > What I want to do is that through MS Access make a form where I can add
> > several attributes to the same row in the table.
> >
> > But since radcheck only seem to work with one attribute per row for one
> > user I dont really know how to do.
> 
> You *can* have multiple entries (rows) for each user. You don't have to
> cram everything into a single row.

Okay, but I don´t think it makes any sense that you have multiple inputs of the 
same user in a table?
Say for example that you have like 200 different users and every user have to 
have like 3 different attributes. The table would get extremly large.
 What I want to do is to through MySQL link a user to a specific group and in 
that way start up the segmentation. So depending on what group you are a member 
in you get into different VLANs etc. That´s why I hoped that I could use 
"radusergroup" to link a user to a group and then in "radgroupcheck" add group 
specific attributes like NAS-Port-Id´s or Called-Station-Id´s and in that way 
being able to do a segmentation on SSID or WLAN. 
> 
> > What I mean is that if I have a user called "test-user" and want to have
> > two attributes for that user, in this case "Cleartext-Password" &
> > "NAS-Port-Id" I need to have two rows for that user.
> 
> Tes, you do.
> 
> > radcheck:
> >
> > --
> >
> > |id|username   |attribute  |op |value |
> >
> > |1 |user-test   |Cleartext-Password|== |test-pass   |
> 
> That should be :=.
> 
> > |2 |user-test   |NAS-Port-Id  |== |raket |
> >
> > ---
> >
> > The reason I want to make a form is because I want others than me being
> > able to add new users and have them connected to the correct group which
> > then will have a separate VLAN and SSID.
> 
> The form you generate with MS Access will put data into - MS Access
> backend. You can't connect that form to MySQL. If you are a fan of Windows
> use Windows (ASP.NET) forms or webforms which can place data into MySQL.

I have actually being able to do changes to the MySQL table by using MS Access 
and ODBC.
But I have had some problems making a form that works towards radcheck though.
I´m not really a windows fan, but I need a Backend that restricts the admins 
for messing up the Freeradius server.
What I need is a GUI where you can search for a specific group and add a new 
user or edit a user in that group.
I really dont want to see a list of all the users there is and then have to 
search through 200 users to find the one i wish to edit.
So is it possible with dialupadmin to add a user and link that user to a group 
so you can only list that groups users?
Also is it possible in anyway to make group specific attributes so I wont have 
to add SSID restrictions on user level?

I have seen in the source of Freeradius that dialup admin comes with it. I´ve 
started to think about testing it.
So do I need to build dialupadmin in the same way I did with OpenSSL and 
FreeRadius or did it get installed at the same time as I installed Freeradius?
Also is there anywhere I can read about how to link dialup admin to MySQL etc.?
> 
> Freeradius comes with it's own admin GUI - dialup admin. There are also
> outside projects like daloRadius. Or you can make your own using things
> like PHP.
> 
> > So then I thought that if i use the table called "radusergroup" and link
> > the user to a specific group it should work in a way that all members of
> > this group may only connect to the network if they try to connect to the
> > correct SSID. It seems that did not work either.
> 
> No, it will not work. Groups in sql emulate DEFAULT entries in users file
> - if chack doesn't match, replies are ignored - user is not rejected.
> 
> > I am at a loss here and
> > dont really know what I should do.
> 
> If you want user to get rejected if SSID doesn't match, you will need to
> make it an entry in radcheck table. As long as the password is there too
> user will be rejected.
> 
> Ivan Kalik

Thank you for your time.

Best regards/ Peter Carlstedt
> 
> 
> 
> *
  
_