Re: prevent roaming configuration question
isidoros wrote: James: I'm allmost there (now I'm thinking like this) 1) authorize_group_check_query: to check of the user is in a group 2) authorize_group_check_query: retrieve the check-items for this group (which is my solution) 3) authorize on the check-items. if the expression is like this "whether or not to authorize a request, such as User-Password == "mypassword", or Calling-Station-Id != "5554796". will all users in the same group authorize by the same password? I guess my question is: Is the group check additional to the user check. Yes, it is additional. Typically you wouldn't check User-Password in the group checks. radcheck is for user-specific checks (like User-Password). Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
James Wakefield wrote: James Wakefield wrote: isidoros wrote: Thanks James for your answer, I'm fairly new to freeradius I know the package only 14 days. (or radius in general for that matter) The group configuration is a mystery to me. It is unclear for me how this separates the users. This is how I think 1) G1 with users A,B,C 2) G2 with users X,Y,Z 3) At a request the configuration determines which group the user belongs to 4) And makes a query for the users A until Z to the same database 5) the auth_query only talks about the user. 6) This is the point where a fail to understand that the group config helps me. The query is made to the same database on behalf of the any user. Please spell it out to me where my thinking goes wrong. I would like the understand this group config thing better (if at all at this point in time). Actually, http://wiki.freeradius.org/Rlm_sql explains it much better than I just did. James, Don't do yourself short, your explaination is just what I needed. Everything is working OK. with the group config you suggested. many thanks for your support regards, Isidoros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
James Wakefield wrote:
isidoros wrote:
Thanks James for your answer,
I'm fairly new to freeradius I know the package only 14 days. (or
radius in general for that matter)
The group configuration is a mystery to me. It is unclear for me how
this separates the users. This is how I think
1) G1 with users A,B,C
2) G2 with users X,Y,Z
3) At a request the configuration determines which group the user
belongs to
4) And makes a query for the users A until Z to the same database
5) the auth_query only talks about the user.
6) This is the point where a fail to understand that the group config
helps me. The query is made to the same database on behalf of the any
user.
Please spell it out to me where my thinking goes wrong. I would like
the understand this group config thing better (if at all at this
point in time).
Hi Isidoros,
In sql.conf,
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
groupcheck_table and usergroup_table are referred to here:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
This retrieves all the check items that apply to the group the user
belongs to. The usergroup table maps users to groups, and
radgroupcheck maps groups to check items. A check item, which will be
a new term to you if you're a newbie, is an expression which is
evaluated when deciding whether or not to authorize a request, such as
User-Password == "mypassword", or Calling-Station-Id != "5554796".
When rlm_sql is invoked to authorize a request, the user's check items
in radcheck are evaluated. When the user is in a group, this might
only be to check User-Password. Then, authorize_group_check_query is
used to retrieve check items for the user's group, which are then
evaluated. If all the applicable check items, from both radcheck and
radgroupcheck, match, then the reply items - Attribute=Value pairs
sent from freeradius to the NAS when it sends the Access-Accept
message for an authorized request - are retrieved by querying
radreply, for reply items specific to the user, and radgroupreply, for
reply items specific to the user's group.
Make any more sense?
In the meanwhile:
I have solved the problem with the below changes:
in sql.conf replace this rule with:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND \
Location = (SELECT Location FROM nas WHERE nasname =
'%{NAS-Identifier}') \
ORDER BY id"
in mysql
fill the nas table with your info:
INSERT INTO nas (nasname, nasshortname, type, secret, Location)
VALUES ('yournasname in chillspot', 'anyname' , 'other', 'shared
secret', 'Location-number '. );
It works, but I have no idea if this is "best practice" or I'm
seriously damaging the config.
Best practice is to not change any code if you don't have to. By
using groups, you don't have to change any code. I wouldn't say
you've "seriously damaged" the config, but you may find that it
doesn't behave in the future. I would recommend spending the time
getting groups and group checks to work, then reverting any SQL
queries you've altered back to their defaults. It'll be much less
painful in the long run.
Cheers,
James:
I'm allmost there (now I'm thinking like this)
1) authorize_group_check_query: to check of the user is in a group
2) authorize_group_check_query: retrieve the check-items for this group
(which is my solution)
3) authorize on the check-items. if the expression is like this "whether
or not to authorize a request, such as User-Password == "mypassword", or
Calling-Station-Id != "5554796".
will all users in the same group authorize by the same password?
I guess my question is: Is the group check additional to the user check.
regards,
isidoros
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
James Wakefield wrote: isidoros wrote: Thanks James for your answer, I'm fairly new to freeradius I know the package only 14 days. (or radius in general for that matter) The group configuration is a mystery to me. It is unclear for me how this separates the users. This is how I think 1) G1 with users A,B,C 2) G2 with users X,Y,Z 3) At a request the configuration determines which group the user belongs to 4) And makes a query for the users A until Z to the same database 5) the auth_query only talks about the user. 6) This is the point where a fail to understand that the group config helps me. The query is made to the same database on behalf of the any user. Please spell it out to me where my thinking goes wrong. I would like the understand this group config thing better (if at all at this point in time). Actually, http://wiki.freeradius.org/Rlm_sql explains it much better than I just did. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
isidoros wrote:
Thanks James for your answer,
I'm fairly new to freeradius I know the package only 14 days. (or radius
in general for that matter)
The group configuration is a mystery to me. It is unclear for me how
this separates the users. This is how I think
1) G1 with users A,B,C
2) G2 with users X,Y,Z
3) At a request the configuration determines which group the user belongs to
4) And makes a query for the users A until Z to the same database
5) the auth_query only talks about the user.
6) This is the point where a fail to understand that the group config
helps me. The query is made to the same database on behalf of the any user.
Please spell it out to me where my thinking goes wrong. I would like the
understand this group config thing better (if at all at this point in time).
Hi Isidoros,
In sql.conf,
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
groupcheck_table and usergroup_table are referred to here:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
This retrieves all the check items that apply to the group the user
belongs to. The usergroup table maps users to groups, and radgroupcheck
maps groups to check items. A check item, which will be a new term to
you if you're a newbie, is an expression which is evaluated when
deciding whether or not to authorize a request, such as User-Password ==
"mypassword", or Calling-Station-Id != "5554796".
When rlm_sql is invoked to authorize a request, the user's check items
in radcheck are evaluated. When the user is in a group, this might only
be to check User-Password. Then, authorize_group_check_query is used to
retrieve check items for the user's group, which are then evaluated.
If all the applicable check items, from both radcheck and radgroupcheck,
match, then the reply items - Attribute=Value pairs sent from freeradius
to the NAS when it sends the Access-Accept message for an authorized
request - are retrieved by querying radreply, for reply items specific
to the user, and radgroupreply, for reply items specific to the user's
group.
Make any more sense?
In the meanwhile:
I have solved the problem with the below changes:
in sql.conf replace this rule with:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND \
Location = (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \
ORDER BY id"
in mysql
fill the nas table with your info:
INSERT INTO nas (nasname, nasshortname, type, secret, Location) VALUES
('yournasname in chillspot', 'anyname' , 'other', 'shared secret',
'Location-number '. );
It works, but I have no idea if this is "best practice" or I'm seriously
damaging the config.
Best practice is to not change any code if you don't have to. By using
groups, you don't have to change any code. I wouldn't say you've
"seriously damaged" the config, but you may find that it doesn't behave
in the future. I would recommend spending the time getting groups and
group checks to work, then reverting any SQL queries you've altered back
to their defaults. It'll be much less painful in the long run.
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
James Wakefield wrote:
isidoros
wrote:
Goal:
users X,Y,Z should only be authenticated on NAS1 and not on NAS2 or any
other nas
users A,B,C should only be authenticated on NAS2 and not on NAS1 or any
other nas
etc
G'day,
You'll probably want users X,Y,Z mapped to one group (let's say, G1),
and A,B,C mapped to another (let's say, G2) in your usergroup table.
You can then use NAS-IP-Address as a check item in radgroupcheck to
authorize only G1 from NAS1's IP address, and authorize only G2 from
NAS2's IP address. You shouldn't have to touch any of the SQL queries
in sql.conf.
http://wiki.freeradius.org/Rlm_sql should provide the info you need to
do the above.
Cheers,
Thanks James for your answer,
I'm fairly new to freeradius I know the package only 14 days. (or
radius in general for that matter)
The group configuration is a mystery to me. It is unclear for me how
this separates the users. This is how I think
1) G1 with users A,B,C
2) G2 with users X,Y,Z
3) At a request the configuration determines which group the user
belongs to
4) And makes a query for the users A until Z to the same database
5) the auth_query only talks about the user.
6) This is the point where a fail to understand that the group config
helps me. The query is made to the same database on behalf of the any
user.
Please spell it out to me where my thinking goes wrong. I would like
the understand this group config thing better (if at all at this point
in time).
In the meanwhile:
I have solved the problem with the below changes:
in
sql.conf replace this rule with:
authorize_check_query
= "SELECT id, UserName, Attribute, Value, op \
FROM
${authcheck_table} \
WHERE
Username = '%{SQL-User-Name}' AND \
Location
= (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \
ORDER BY
id"
in mysql
fill the
nas table with your info:
INSERT
INTO nas (nasname, nasshortname, type, secret, Location) VALUES
('yournasname
in chillspot', 'anyname' , 'other', 'shared secret', 'Location-number '. );
It works, but I have no idea if this is "best practice" or I'm
seriously damaging the config.
regards,
isidoros
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
isidoros wrote: Goal: users X,Y,Z should only be authenticated on NAS1 and not on NAS2 or any other nas users A,B,C should only be authenticated on NAS2 and not on NAS1 or any other nas etc G'day, You'll probably want users X,Y,Z mapped to one group (let's say, G1), and A,B,C mapped to another (let's say, G2) in your usergroup table. You can then use NAS-IP-Address as a check item in radgroupcheck to authorize only G1 from NAS1's IP address, and authorize only G2 from NAS2's IP address. You shouldn't have to touch any of the SQL queries in sql.conf. http://wiki.freeradius.org/Rlm_sql should provide the info you need to do the above. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
