Re: how to use groups within freeradius
I'm trying to do the same thing as your second example:
I setup a group in radgroupcheck:
id groupname attribute op value
1PVT NAS-IP-Address ==10.99.0.47
and the corresponding rows in radgroupreply:
id groupname attribute opvalue
26 PVT Auth-Type := Reject
27 PVT Reply-Message := Hello world!
rad_recv: Access-Request packet from host 10.99.0.47 port 1645,
id=108, length=146
Framed-Protocol = PPP
User-Name = test.ca/branchtest1
User-Password = poochpatrol
Calling-Station-Id = bas110002200045
Connect-Info = 15552
NAS-Port-Type = Virtual
NAS-Port = 46
NAS-Port-Id = Uniq-Sess-ID46
Service-Type = Framed-User
NAS-IP-Address = 10.99.0.47
[sql-auth] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= test.ca/branchtest1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'test.ca/branchtest1' ORDER BY
priority
[sql-auth] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'PVT' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'PVT' ORDER BY id
[sql-auth] User found in group PVT
[sql-auth] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'AKN-PVT' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'PVT' ORDER BY id
rlm_sql (sql-auth): Released sql socket id: 3
++[sql-auth] returns ok
Sending Access-Accept of id 108 to 10.99.0.47 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type := Framed-User
Framed-Protocol += PPP
Framed-IP-Address += 172.23.254.1
Cisco-AVPair += lcp:interface-config#1=bandwidth 4032
Cisco-AVPair += lcp:interface-config#1=bandwidth receive 800
Reply-Message += Hello world!
Finished request 2.
As you can see, it's definitely matching on the group, and even
applying one of the attributes (Reply-Message) but it's authenticating
the user (and obviously shouln't be). Any thoughts?
GG
On Tue, Jun 28, 2011 at 9:31 AM, Ken Felix kfe...@jdltech.com wrote:
Phil
you examples was straight on, and very helpful. I ended up using SQLgroup
within /etc/freeradius/users + huntgrousps and the groups that I've
created it worked the very 1st time, with no problems. To answer your
other question, this is with freeradius version;
root@TACACS:/etc/init.d# freeradius -v | grep Version
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on
Mar 30 2007 at 22:44:34
root@TACACS:/etc/init.d#
Thanks
-Original Message-
From: freeradius-users-bounces+kfelix=jdltech@lists.freeradius.org on
behalf of Phil Mayers
Sent: Tue 6/28/2011 3:55 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: how to use groups within freeradius
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within
freeradius? What we would like todo is restricted some user from
logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using?
Anyway, the group config you've written doesn't do what you want. All it
says is if you're this username and coming from these IPs, you're in
the gruop.
You're not actually acting in the group membership.
There are lots of ways to do this, but personally I prefer to keep SQL
groups entirely user-based, and use huntgroups for NAS IPs, then compare
the two. So:
raddb/huntgrousp:
restricted NAS-IP-Address == 192.0.2.1
raddb/sites-enabled/xxx:
authozie {
if (Huntgroup-Name == restricted) {
if (SQL-Group == restricted) {
# ok to login
}
else {
reject
}
}
}
...or if you prefer to us a users file, in raddb/users:
DEFAULT Huntgroup-Name == restricted, SQL-Group == restricted
Fall-Through = No
DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject
Fall-Through = No
There are lots of other ways to accomplish
Re: how to use groups within freeradius
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within
freeradius? What we would like todo is restricted some user from
logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using?
Anyway, the group config you've written doesn't do what you want. All it
says is if you're this username and coming from these IPs, you're in
the gruop.
You're not actually acting in the group membership.
There are lots of ways to do this, but personally I prefer to keep SQL
groups entirely user-based, and use huntgroups for NAS IPs, then compare
the two. So:
raddb/huntgrousp:
restricted NAS-IP-Address == 192.0.2.1
raddb/sites-enabled/xxx:
authozie {
if (Huntgroup-Name == restricted) {
if (SQL-Group == restricted) {
# ok to login
}
else {
reject
}
}
}
...or if you prefer to us a users file, in raddb/users:
DEFAULT Huntgroup-Name == restricted, SQL-Group == restricted
Fall-Through = No
DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject
Fall-Through = No
There are lots of other ways to accomplish this. The point being, you
need to actually check the group, and if you define the group so that it
depends on the username, and they thing they're permitted to access,
then you're essentially writing a whitelist and would need something
like, in your example, raddb/users:
DEFAULT SQL-Group == xxx
Fall-Through = No
DEFAULT SQL-Group == yyy
Fall-Through = No
DEFAULT Auth-Type := Reject
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to use groups within freeradius
Phil
you examples was straight on, and very helpful. I ended up using SQLgroup
within /etc/freeradius/users + huntgrousps and the groups that I've created
it worked the very 1st time, with no problems. To answer your other
question, this is with freeradius version;
root@TACACS:/etc/init.d# freeradius -v | grep Version
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar
30 2007 at 22:44:34
root@TACACS:/etc/init.d#
Thanks
-Original Message-
From: freeradius-users-bounces+kfelix=jdltech@lists.freeradius.org on
behalf of Phil Mayers
Sent: Tue 6/28/2011 3:55 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: how to use groups within freeradius
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within
freeradius? What we would like todo is restricted some user from
logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using?
Anyway, the group config you've written doesn't do what you want. All it
says is if you're this username and coming from these IPs, you're in
the gruop.
You're not actually acting in the group membership.
There are lots of ways to do this, but personally I prefer to keep SQL
groups entirely user-based, and use huntgroups for NAS IPs, then compare
the two. So:
raddb/huntgrousp:
restricted NAS-IP-Address == 192.0.2.1
raddb/sites-enabled/xxx:
authozie {
if (Huntgroup-Name == restricted) {
if (SQL-Group == restricted) {
# ok to login
}
else {
reject
}
}
}
...or if you prefer to us a users file, in raddb/users:
DEFAULT Huntgroup-Name == restricted, SQL-Group == restricted
Fall-Through = No
DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject
Fall-Through = No
There are lots of other ways to accomplish this. The point being, you
need to actually check the group, and if you define the group so that it
depends on the username, and they thing they're permitted to access,
then you're essentially writing a whitelist and would need something
like, in your example, raddb/users:
DEFAULT SQL-Group == xxx
Fall-Through = No
DEFAULT SQL-Group == yyy
Fall-Through = No
DEFAULT Auth-Type := Reject
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use groups within freeradius
Can anybody post a simple howto with regards to using groups within freeradius?
What we would like todo is restricted some user from logging into various
firewalls. I've created usergroups and defined
mysql select * from usergroup ;
+--+-+--+
| UserName | GroupName | priority |
+--+-+--+
| | login users |1 |
| asa1.test| adminasa|1 |
| test.user| Login users |1 |
+--+-+--+
and
mysql select * from radgroupcheck ;
++---++++
| id | GroupName | Attribute | op | Value |
++---++++
| 1 | adminasa | NAS-IP-Address | == | 10.252.128.11 |
| 2 | adminasa | NAS-IP-Address | == | 10.252.253.199 |
| 3 | adminasa | NAS-IP-Address | == | 10.250.32.68 |
| 4 | adminasa | NAS-IP-Address | == | 10.250.32.69 |
| 5 | adminasa | NAS-IP-Address | == | 10.254.32.68 |
| 6 | adminasa | NAS-Identifier | == | 10.252.128.11 |
++---++++
6 rows in set (0.00 sec)
debug shows the following;
Sending Access-Reject of id 10 to 10.159.103.154 port 1812
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67
User-Name = asa1.test
User-Password = 30
NAS-IP-Address = 10.252.128.11
NAS-Port = 43
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module preprocess returns ok for request 18
modcall[authorize]: module chap returns noop for request 18
modcall[authorize]: module mschap returns noop for request 18
rlm_realm: No '@' in User-Name = asa1.test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 18
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 18
modcall[authorize]: module files returns notfound for request 18
radius_xlat: 'asa1.test'
rlm_sql (sql): sql_set_user escaped user -- 'asa1.test'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'asa1.test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'asa1.test' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'asa1.test' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'asa1.test' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module sql returns ok for request 18
modcall: leaving group authorize (returns ok) for request 18
auth: type Crypt
Login OK: [asa1.test] (from client SBBC port 43)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 18
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'asa1.test'
rlm_sql (sql): sql_set_user escaped user -- 'asa1.test'
radius_xlat: 'INSERT into radacct (UserName, NASIPAddress, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId,
AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(),
NOW(), '0', 'Local', '', 'Access-Accept', '')'
radius_xlat: '/var/log/freeradius/sqltrace.sql'
rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName,
NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
CallingStationId, AcctTerminateCause, NASIdentifier) values
