Pushing a policy for usergroup and calling station id from Free Radius Server
Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Thanks in advance. Regards, Subhani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m subhani19.c...@gmail.com wrote: Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever Depends on what you mean by push policy. If it's just return some radius attribute), then if you use database, simply put it on radgroupreply table. See the included documentation, or http://wiki.freeradius.org/modules/Rlm_sql 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 7:51 PM, Subhani sk m subhani19.c...@gmail.com wrote: Thanks Fajar. In previous mail, Push Policy means Radius Attribute only. I am using EAP-TLS and When a client sends a radius request with username user1 to radius server. In access accept I am able to see attributes configured in users file being returned. In /etc/raddb/users file user1 Cleartext-Password := user1 Tunnel-Type := 13, Tunnel-Medium-Type := 6, Tunnel-Private-Group-Id := guest, LVL7-Wireless-Client-Policy-Dn := policy1, Similarly for a usergroup say usergroup1 I should send radius attributes.. Also with client Mac which can be seen in radius request as calling station id. Can we do it from modifying config files instead of modifying sql database? Should be possible. Though I have never tried using group from users file, so you'd probably need to try it out yourself, or wait and see if others have better example/advice. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: Alan DeKok wrote: ... Let me guess... you have policies for accounting which use SQL-Group? No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use SQL-Group. That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks that fixed the problem I would have thought it would have been the other way sql_auth before sql-acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows sigh Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: Trey Scarborough wrote: Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows sigh Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. authorize { preprocess chap mschap suffix sql-auth files } accounting { detail radutmp sql-acct #works when this line is commented out } #sql.conf file sql sql-auth { driver = rlm_sql_mysql server = localhost login = radius password = radpass radius_db = radius postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = usergroup nas_table = nas deletestalesessions = no sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 sql_user_name = %{User-Name} authorize_check_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id authorize_reply_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id group_membership_query = SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' # # Set to 'yes' to read radius clients from the database ('nas' table) readclients = yes } sql sql-acct { driver = rlm_sql_mysql server = 192.168.5.84 login = radius password = radpass radius_db = radius-acct acct_table1 = radacct acct_table2 = radacct accounting_onoff_query = UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' accounting_update_query = UPDATE ${acct_table1} \ SET FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}' accounting_update_query_alt = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0') accounting_start_query = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') accounting_start_query_alt = UPDATE ${acct_table1} SET AcctStartTime = '%S
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. Let me guess... you have policies for accounting which use SQL-Group? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: Trey Scarborough wrote: All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. Exactly my problem and why I don't understand why it breaks the authorization radius reply attributes. which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. Let me guess... you have policies for accounting which use SQL-Group? No It breaks the Authentication when I add the Accounting configuration Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here is another more specific output from a debug It runs like this without the accounting configuration [sql-auth] sql_groupcmp [sql-auth] expand: %{User-Name} - t...@testdomain.net [sql-auth] sql_set_user escaped user -- 't...@testdomain.net' rlm_sql (sql-auth): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='t...@testdomain.net' [sql-auth] sql_groupcmp finished: User is a member of group active rlm_sql (sql-auth): Released sql socket id: 3 Runs like this when I add the rad-acct to accounting. It appears to be using the sql-acct for the sql_groupcmp for some reason. [sql-auth] sql_groupcmp [sql-auth] expand: %{User-Name} - t...@testdomain.net [sql-auth] sql_set_user escaped user -- 't...@testdomain.net' rlm_sql (sql-acct): Reserving sql socket id: 4 rlm_sql (sql-acct): Released sql socket id: 4 [sql-auth] sql_groupcmp finished: User is NOT a member of group active Any ideas as to why It would do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. read doc/rlm_sql, or the rlm_sql page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows sql sql1 { configuration for authentication database no accounting queries configured } sql sql2 { configuration for accounting database no authentication queries configured } #dose not work uses accounting sql2 for usergroup query authorize { sql1 files } accounting { detial sql } #configuration of groups works fine but I lose accounting sql uthorize { sql1 files } accounting { detial } Alan DeKok wrote: Trey Scarborough wrote: I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. read doc/rlm_sql, or the rlm_sql page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup problems with separate auth and accounting databases
I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. Any Ideas of why this is happening Here some output while doing a request sql1 is the authentication DB and sql2 is the accounting rad_recv: Access-Request packet from host 127.0.0.1 port 2701, id=94, length=61 User-Name = u...@domain.net CHAP-Password = 0x000 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm domain.net for User-Name = u...@domain.net [suffix] No such realm vortexmail.com ++[suffix] returns noop [sql1] expand: %{User-Name} - u...@domain.net [sql1] sql_set_user escaped user -- 'u...@domain.net' rlm_sql (sql1): Reserving sql socket id: 4 [sql1] expand: SELECT .. rlm_sql_mysql: query: SELECT ... [sql1] User found in radcheck table [sql1] expand: SELECT .. rlm_sql_mysql: query: SELECT ... [sql1] expand: SELECT ... rlm_sql_mysql: query: SELECT [sql1] expand: SELECT ... rlm_sql_mysql: query: SELECT .. [sql1] sql_groupcmp [sql1] expand: %{User-Name} - u...@domain.net [sql1] sql_set_user escaped user -- 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 4 rlm_sql (sql2): Released sql socket id: 4 [sql1] sql_groupcmp finished: User is NOT a member of group active Invalid operator for item Sql-Group: reverting to '==' rlm_sql (sql1): Released sql socket id: 4 ++[sql1] returns ok [files] sql_groupcmp [files] expand: %{User-Name} - u...@domain.net [files] sql_set_user escaped user -- 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 3 rlm_sql (sql2): Released sql socket id: 3 [files] sql_groupcmp finished: User is NOT a member of group active [files] sql_groupcmp [files] expand: %{User-Name} - u...@domain.net [files] sql_set_user escaped user -- 'u...@domain.net' rlm_sql (sql2): Reserving sql socket id: 2 rlm_sql (sql2): Released sql socket id: 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
Hi,(salaam) Thanks for your help, But I solved the problem and I changed the radgroupcheck query so it get groupname from usergroup table and then compare it! I think I have a better solution, isn't it? BTW thank for your help, please inform me if you know why this problem exist? is it a bug? Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP Thanks for your response, I attached full log. authorize_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id That should be authorize_group_check_query. authorize_group_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id And that should be authorize_check_query. Swap them over. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP Thanks for your response, I attached full log. Ya Ali Hamid Reza Hasani radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup and radgroupcheck problem!
Hi, (Salam) I'm using last version of freeradius. when my users are going to connect, I see this message: [sql] expand: %{User-Name} - myuser [sql] sql_set_user escaped user -- 'myuser' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = 'myuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'myuser' ORDER BY priority [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id [sql] User found in group test [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop ++[expiration] returns noop ++[logintime] returns noop if you look at them carefully, you can see there is a bit problem! my freeradius is read radgroupcheck before usergroup table, so it can't recognize user's group name for radgroupcheck query! so it can't read radgroupcheck attributes! where is my fault? can I change it priority? thanks Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
if you look at them carefully, you can see there is a bit problem! my freeradius is read radgroupcheck before usergroup table, so it can't recognize user's group name for radgroupcheck query! so it can't read radgroupcheck attributes! where is my fault? can I change it priority? It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: usergroup lookup if User-Profile is defined
Bjørn Mork bj...@mork.no writes: I am wondering if I'm the only one who finds the following default behaviour a bit confusing: Given a user defined like this: user1 Cleartext-Password := foo, User-Profile := profile1 I would expect profile1 to always be looked up in the the usergroup table for this user. However, this won't happen if user1 is defined in that table without Fall-Through. rlm_sql will lookup user1 first and only lookup profile1 if either user1 is not found or Fall-Through is set vy the user1 groups. Some more information about what I'm trying to achieve. Maybe I'm doing something very awkward and strange, and really should go another route. Any hints are appreciated. I have 2.6 million user accounts: mysql select count(distinct(username)) from radcheck; +---+ | count(distinct(username)) | +---+ | 2627686 | +---+ 1 row in set (7.41 sec) Nearly all of these set User-Profile: mysql select count(*) from radcheck where attribute = 'User-Profile'; +--+ | count(*) | +--+ | 2627522 | +--+ 1 row in set (2.19 sec) The profiles represent a small number of common check and reply items for one account class. There are only(?) 83 such distinct account types at the moment: mysql select count(distinct(username)) from radusergroup; +---+ | count(distinct(username)) | +---+ |83 | +---+ 1 row in set (0.01 sec) Most of the profiles have more than one entry in the radusergroup, to do prioritized lookups like user1NAS-Port-Type == xDSL attribute1 = foo user1NAS-Port-Type == Ethernet attribute1 = bar So the total number of entries in radusergroup is higher than the number of profiles, giving an average of 4.7 group check lists per profile: mysql select count(*) from radusergroup; +--+ | count(*) | +--+ | 387 | +--+ 1 row in set (0.00 sec) Now, I do realize that the original design is based on an assumption that every user will have an individual entry in radusergroup, mapping to every group check list for that user. I am trying to avoid that because: - I don't need it: There are only 83 distinct profiles, not 2.6 million - mapping a user to a profile instead of a group list virtualizes the knowlegde of the actual profile contents, thereby avoiding the need for every script creating user account to do this mapping (there is more than 1 such script...) - the 2.6 million users would expand to approx. 12.3 million rows in the usergroup tables, assuming an even distibution among the profiles (real numbers are probably worse, as the most common profiles also tend to be the most complex ones). The alternative is 2.6 million rows in the radcheck table, saving ~10 million rows... - not adding users to radusergroup reduces the number of tables a useradd script need to touch from 3 to 2. Remember again that each such table will be shared among several writers, and therefore need an per row ownership policy But to be able to use the radusergroup as I want, I have one requirement: - eviluser should not gain access to anything by using profile as username, even if profile sets a password (some profiles might be meant for devices with a preprogrammed common password, where the individiual user check list is doing the actual authentication based on e.g. Calling-Station-Id) and also some wishes: - profile1 should be both a valid username and profile name, where the user very well could be mapped to profile2 - looking up the username in the radusergroup table is pointless, so it should be avoided - in particular, looking up a username not found in radcheck or which failed the radcheck items should be avoided. It is guaranteed to be pointless if the requirement above is fulfilled. I think I can meet my requirement without any code changes by adding a check item like this to every group referenced by profilename: User-Name != profilename (maybe think a bit about case sensitivity here - doing case sensitive lookups in the radusergroup table would solve that) But AFAICS, my wishlist items would need a code change. My suggestion would be something like this, of course defaulting to the existing behaviour (concept for discussion only - not even build tested): diff --git a/raddb/sql.conf b/raddb/sql.conf index 690c3a2..631e7b5 100644 --- a/raddb/sql.conf +++ b/raddb/sql.conf @@ -66,6 +66,10 @@ sql { # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table # read_groups = yes + # If set to 'yes' then only the User-Profile is looked up in the usergroup table + # If set to 'no' (default) then we lookup the username first + # user_profile_only
rlm_sql: usergroup lookup if User-Profile is defined
Hello, I am wondering if I'm the only one who finds the following default behaviour a bit confusing: Given a user defined like this: user1 Cleartext-Password := foo, User-Profile := profile1 I would expect profile1 to always be looked up in the the usergroup table for this user. However, this won't happen if user1 is defined in that table without Fall-Through. rlm_sql will lookup user1 first and only lookup profile1 if either user1 is not found or Fall-Through is set vy the user1 groups. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Hi All, I have a few problem. i have freeradius version 1.0.5 running with rlm_sql. radcheck : username, attribute, op, value test1,password,==,testpass test2,password,==,testpass radreply : none radusergroup : test1,HS1 test2,HS2 test2,HS1 radgroupcheck : groupname, attribute, op, value HS1,Called-Station-Id,==,device1 HS2,Called-Station-Id,==,device2 radgroupreply : groupname, attribute, op, value,prio HS1,Framed-Pool,=,pool1,0 HS2,Framed-Pool,=,pool2,0 the problem is user test1 and test2 can connect and get pool1 but user test2 can't connect and can't get pool2 i already use Fall-Through = Yes in radreply and radgroupreply, but it still not work. when i use freeradius 2.1.1, that setting is work. Does freeradius 1.0.5 doesn't support multiple group or something wrong with my setting? how many group that can be assigned to one user in freeradius 2.1.1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Many thanks... It is working now! :) On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok [EMAIL PROTECTED] wrote: Carlos Eduardo Tavares Terra wrote: Sorry, but maybe I didn't understand how virtual servers really work. raddb/sites-available/README Each virtual server is a RADIUS server, just like in 1.x. The only difference is that you don't need to run multiple processes to get multiple server configurations. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys i.e. in 1.x, you modified the SQL queries in the sql module configuration, for each server. i.e. you were running TWO different instances of the SQL module. I think the problem is that you're trying to use only ONE instance of the SQL module in 2.x. Instead, do this in the modules section: sql sql1 { ... content from 1.x server1, INCLUDING queries } sql sql2 { ... content from 1.x server2, INCLUDING queries } Then, use sql1 in the virtual server for server1, and sql2 in the virtual server for sql2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote: Sorry, but maybe I didn't understand how virtual servers really work. raddb/sites-available/README Each virtual server is a RADIUS server, just like in 1.x. The only difference is that you don't need to run multiple processes to get multiple server configurations. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys i.e. in 1.x, you modified the SQL queries in the sql module configuration, for each server. i.e. you were running TWO different instances of the SQL module. I think the problem is that you're trying to use only ONE instance of the SQL module in 2.x. Instead, do this in the modules section: sql sql1 { ... content from 1.x server1, INCLUDING queries } sql sql2 { ... content from 1.x server2, INCLUDING queries } Then, use sql1 in the virtual server for server1, and sql2 in the virtual server for sql2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work. I have one big users base. The users can be in one or more groups. User:John - Group:dialup User:John - Group:broadband User:Jack - Group:dialup User:Jack - Group: hotspot John and Jack are in my radcheck and radusergroup tables. Username: John Username: Jack Attribute: Password Attribute: Password Op: := Op: := Value: crypt('test')Value: crypt('test2') My nas clients are in database too. nasname: 192.168.2.2nasname: 192.168.2.3 shortname: dialup-nas shortname: broadband-nas type: cisco type: cisco secret: secret-password secret: secret-password server: dialup server: broadband My problem is here: expand: %{User-Name} - John rlm_sql (sql): sql_set_user escaped user -- 'John' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'John' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'John' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): User found in group dialup expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): Released sql socket id: 2 John is connecting through broadband-nas, but freeradius is getting dialup groupname and all its checks and replys. Dialup and broadband has the same priority in radusergroup table. I wish to 'force' something like 'dialup-nas'-'dialup group', 'broadband-nas'-'broadband group'. Maybe I'm going through the wrong way. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys to get only replys and checks for respectives groups (services). How is the 'right' way to implement this scenario with freeradius 2? Thank you for the help. 2008/9/6 [EMAIL PROTECTED]: No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED] piše: Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED] piše: Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius2 + MySQL: NAS x Usergroup
Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas / usergroup?
Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrònic és confidencial, personal i intransferible, i només està dirigida a l'adreça(ces) indicada(des). Si vostè llegeix aquest missatge per error, l'informem que n'està prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Gràcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas / usergroup?
Use huntgroups to group access servers. Then use Huntgroup-Name in radgroupcheck to restrict access. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, Genis Pujol Hamelink [EMAIL PROTECTED] piše: Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrňnic és confidencial, personal i intransferible, i només estŕ dirigida a l'adreça(ces) indicada(des). Si vostč llegeix aquest missatge per error, l'informem que n'estŕ prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Grŕcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Ive recently configured freeradius with sql support. I have it doing all the lookups fine. I was wondering thou, if there was any way to have radius use a default group, rather then having to create a second entry in the usergroup table. Were simply using radius for authentication purposes, and no static ip or other info would need to be provided to radius. Thanks, Craig