Pushing a policy for usergroup and calling station id from Free Radius Server
Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Thanks in advance. Regards, Subhani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 4:53 PM, Subhani sk m subhani19.c...@gmail.com wrote: Hi, I am using free radius on Linux, Fedora 13. I am able to push policy for a user.. I need help on two scenarios given below. 1.how to push policy for a specific usergroup from free radius sever Depends on what you mean by push policy. If it's just return some radius attribute), then if you use database, simply put it on radgroupreply table. See the included documentation, or http://wiki.freeradius.org/modules/Rlm_sql 2. how to push a policy for a specific Calling-Station-ID like 00:16:6F:A2:XX:XX [ no user specific policy returned] Short version? Use unlang (http://freeradius.org/radiusd/man/unlang.html) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing a policy for usergroup and calling station id from Free Radius Server
On Sun, Sep 30, 2012 at 7:51 PM, Subhani sk m subhani19.c...@gmail.com wrote: Thanks Fajar. In previous mail, Push Policy means Radius Attribute only. I am using EAP-TLS and When a client sends a radius request with username user1 to radius server. In access accept I am able to see attributes configured in users file being returned. In /etc/raddb/users file user1 Cleartext-Password := user1 Tunnel-Type := 13, Tunnel-Medium-Type := 6, Tunnel-Private-Group-Id := guest, LVL7-Wireless-Client-Policy-Dn := policy1, Similarly for a usergroup say usergroup1 I should send radius attributes.. Also with client Mac which can be seen in radius request as calling station id. Can we do it from modifying config files instead of modifying sql database? Should be possible. Though I have never tried using group from users file, so you'd probably need to try it out yourself, or wait and see if others have better example/advice. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: Alan DeKok wrote: ... Let me guess... you have policies for accounting which use SQL-Group? No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use SQL-Group. That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks that fixed the problem I would have thought it would have been the other way sql_auth before sql-acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: Yes I am aware of how it is Documented I followed the documentation but still is not functioning correctly. I have a configuration that is similar to as follows sigh Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
Yes I am aware of how it is Documented I followed the documentation but
still is not functioning correctly.
I have a configuration that is similar to as follows
sigh Similar is not the same.
Perhaps you could explain in *detail* what you are trying to do with
SQL groups. Use examples from your cvonfiguration, not invented ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
authorize {
preprocess
chap
mschap
suffix
sql-auth
files
}
accounting {
detail
radutmp
sql-acct #works when this line is commented out
}
#sql.conf file
sql sql-auth {
driver = rlm_sql_mysql
server = localhost
login = radius
password = radpass
radius_db = radius
postauth_table = radpostauth
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
nas_table = nas
deletestalesessions = no
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
sql_user_name = %{User-Name}
authorize_check_query = SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id
authorize_reply_query = SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id
group_membership_query = SELECT GroupName FROM ${usergroup_table}
WHERE UserName='%{SQL-User-Name}'
#
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes
}
sql sql-acct {
driver = rlm_sql_mysql
server = 192.168.5.84
login = radius
password = radpass
radius_db = radius-acct
acct_table1 = radacct
acct_table2 = radacct
accounting_onoff_query = UPDATE ${acct_table1} SET
AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
accounting_update_query_alt = INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')
accounting_start_query = INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')
accounting_start_query_alt = UPDATE ${acct_table1} SET
AcctStartTime = '%S
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: All I am trying to do is run the radius auth querys on a database on one machine and the accounting on another in another database. The problem I am seeing is that when the additional sql configuration is put in for the accounting database it begins to use that configuration for the group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. which is not in the accounting database and fails. If I remove the sql-auth from the accounting configuration it runs fine using the rad-auth sql configuration. Here is the exerts from my configuration. I am trying to set some radreply items with sql and some by the users file by group. This works fine until I try to seperate the databases. Let me guess... you have policies for accounting which use SQL-Group? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query
Uh... no. Nothing in the SQL accounting configuration uses the group
membership query. See the source code.
Exactly my problem and why I don't understand why it breaks the
authorization radius reply attributes.
which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
Let me guess... you have policies for accounting which use SQL-Group?
No It breaks the Authentication when I add the Accounting configuration
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is another more specific output from a debug
It runs like this without the accounting configuration
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} - t...@testdomain.net
[sql-auth] sql_set_user escaped user -- 't...@testdomain.net'
rlm_sql (sql-auth): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE
UserName='t...@testdomain.net'
[sql-auth] sql_groupcmp finished: User is a member of group active
rlm_sql (sql-auth): Released sql socket id: 3
Runs like this when I add the rad-acct to accounting. It appears to be
using the sql-acct for the sql_groupcmp for some reason.
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} - t...@testdomain.net
[sql-auth] sql_set_user escaped user -- 't...@testdomain.net'
rlm_sql (sql-acct): Reserving sql socket id: 4
rlm_sql (sql-acct): Released sql socket id: 4
[sql-auth] sql_groupcmp finished: User is NOT a member of group active
Any ideas as to why It would do this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: I have to mysql configurations for one for my authentication request and one for the accounting data. When it make a groupcheck query it is always using the module for the accounting server is there anyway to make this function correctly and have it use the configuration for the authentication database. read doc/rlm_sql, or the rlm_sql page on the Wiki. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Yes I am aware of how it is Documented I followed the documentation but
still is not functioning correctly.
I have a configuration that is similar to as follows
sql sql1 {
configuration for authentication database
no accounting queries configured
}
sql sql2 {
configuration for accounting database
no authentication queries configured
}
#dose not work uses accounting sql2 for usergroup query
authorize {
sql1
files
}
accounting {
detial
sql
}
#configuration of groups works fine but I lose accounting sql
uthorize {
sql1
files
}
accounting {
detial
}
Alan DeKok wrote:
Trey Scarborough wrote:
I have to mysql configurations for one for my authentication request and
one for the accounting data. When it make a groupcheck query it is
always using the module for the accounting server is there anyway to
make this function correctly and have it use the configuration for the
authentication database.
read doc/rlm_sql, or the rlm_sql page on the Wiki. This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup problems with separate auth and accounting databases
I have to mysql configurations for one for my authentication request and
one for the accounting data. When it make a groupcheck query it is
always using the module for the accounting server is there anyway to
make this function correctly and have it use the configuration for the
authentication database.
Any Ideas of why this is happening
Here some output while doing a request sql1 is the authentication DB and
sql2 is the accounting
rad_recv: Access-Request packet from host 127.0.0.1 port 2701, id=94,
length=61
User-Name = u...@domain.net
CHAP-Password = 0x000
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm domain.net for User-Name = u...@domain.net
[suffix] No such realm vortexmail.com
++[suffix] returns noop
[sql1] expand: %{User-Name} - u...@domain.net
[sql1] sql_set_user escaped user -- 'u...@domain.net'
rlm_sql (sql1): Reserving sql socket id: 4
[sql1] expand: SELECT ..
rlm_sql_mysql: query: SELECT ...
[sql1] User found in radcheck table
[sql1] expand: SELECT ..
rlm_sql_mysql: query: SELECT ...
[sql1] expand: SELECT ...
rlm_sql_mysql: query: SELECT
[sql1] expand: SELECT ...
rlm_sql_mysql: query: SELECT ..
[sql1] sql_groupcmp
[sql1] expand: %{User-Name} - u...@domain.net
[sql1] sql_set_user escaped user -- 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 4
rlm_sql (sql2): Released sql socket id: 4
[sql1] sql_groupcmp finished: User is NOT a member of group active
Invalid operator for item Sql-Group: reverting to '=='
rlm_sql (sql1): Released sql socket id: 4
++[sql1] returns ok
[files] sql_groupcmp
[files] expand: %{User-Name} - u...@domain.net
[files] sql_set_user escaped user -- 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 3
rlm_sql (sql2): Released sql socket id: 3
[files] sql_groupcmp finished: User is NOT a member of group active
[files] sql_groupcmp
[files] expand: %{User-Name} - u...@domain.net
[files] sql_set_user escaped user -- 'u...@domain.net'
rlm_sql (sql2): Reserving sql socket id: 2
rlm_sql (sql2): Released sql socket id: 2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
Hi,(salaam) Thanks for your help, But I solved the problem and I changed the radgroupcheck query so it get groupname from usergroup table and then compare it! I think I have a better solution, isn't it? BTW thank for your help, please inform me if you know why this problem exist? is it a bug? Ya Ali Hamid Reza Hasani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
It looks like you have edited sql queries and mixed user and group
queries. Post the part of the startup debug with sql initializing.
Ivan Kalik
Kalik Informatika ISP
Thanks for your response, I attached full log.
authorize_check_query = SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id
That should be authorize_group_check_query.
authorize_group_check_query = SELECT id, username, attribute, value, op
FROM radcheck WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY id
And that should be authorize_check_query. Swap them over.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP Thanks for your response, I attached full log. Ya Ali Hamid Reza Hasani radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup and radgroupcheck problem!
Hi, (Salam)
I'm using last version of freeradius. when my users are going to connect, I
see this message:
[sql] expand: %{User-Name} - myuser
[sql] sql_set_user escaped user -- 'myuser'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = ''
ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM usergroup WHERE username =
'myuser' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'myuser' ORDER BY priority
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY 'myuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = BINARY 'myuser' ORDER BY id
[sql] User found in group test
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'test' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
if you look at them carefully, you can see there is a bit problem! my
freeradius is read radgroupcheck before usergroup table, so it can't
recognize user's group name for radgroupcheck query! so it can't read
radgroupcheck attributes!
where is my fault? can I change it priority?
thanks
Ya Ali
Hamid Reza Hasani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup and radgroupcheck problem!
if you look at them carefully, you can see there is a bit problem! my freeradius is read radgroupcheck before usergroup table, so it can't recognize user's group name for radgroupcheck query! so it can't read radgroupcheck attributes! where is my fault? can I change it priority? It looks like you have edited sql queries and mixed user and group queries. Post the part of the startup debug with sql initializing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: usergroup lookup if User-Profile is defined
Bjørn Mork bj...@mork.no writes:
I am wondering if I'm the only one who finds the following default
behaviour a bit confusing: Given a user defined like this:
user1 Cleartext-Password := foo, User-Profile := profile1
I would expect profile1 to always be looked up in the the usergroup
table for this user. However, this won't happen if user1 is defined
in that table without Fall-Through. rlm_sql will lookup user1 first
and only lookup profile1 if either user1 is not found or
Fall-Through is set vy the user1 groups.
Some more information about what I'm trying to achieve. Maybe I'm doing
something very awkward and strange, and really should go another route.
Any hints are appreciated.
I have 2.6 million user accounts:
mysql select count(distinct(username)) from radcheck;
+---+
| count(distinct(username)) |
+---+
| 2627686 |
+---+
1 row in set (7.41 sec)
Nearly all of these set User-Profile:
mysql select count(*) from radcheck where attribute = 'User-Profile';
+--+
| count(*) |
+--+
| 2627522 |
+--+
1 row in set (2.19 sec)
The profiles represent a small number of common check and reply items
for one account class. There are only(?) 83 such distinct account types
at the moment:
mysql select count(distinct(username)) from radusergroup;
+---+
| count(distinct(username)) |
+---+
|83 |
+---+
1 row in set (0.01 sec)
Most of the profiles have more than one entry in the radusergroup, to do
prioritized lookups like
user1NAS-Port-Type == xDSL
attribute1 = foo
user1NAS-Port-Type == Ethernet
attribute1 = bar
So the total number of entries in radusergroup is higher than the number
of profiles, giving an average of 4.7 group check lists per profile:
mysql select count(*) from radusergroup;
+--+
| count(*) |
+--+
| 387 |
+--+
1 row in set (0.00 sec)
Now, I do realize that the original design is based on an assumption
that every user will have an individual entry in radusergroup, mapping
to every group check list for that user. I am trying to avoid that
because:
- I don't need it: There are only 83 distinct profiles, not 2.6 million
- mapping a user to a profile instead of a group list virtualizes the
knowlegde of the actual profile contents, thereby avoiding the need
for every script creating user account to do this mapping (there is
more than 1 such script...)
- the 2.6 million users would expand to approx. 12.3 million rows in
the usergroup tables, assuming an even distibution among the
profiles (real numbers are probably worse, as the most common
profiles also tend to be the most complex ones). The alternative is
2.6 million rows in the radcheck table, saving ~10 million rows...
- not adding users to radusergroup reduces the number of tables a
useradd script need to touch from 3 to 2. Remember again that each
such table will be shared among several writers, and therefore need
an per row ownership policy
But to be able to use the radusergroup as I want, I have one
requirement:
- eviluser should not gain access to anything by using profile as
username, even if profile sets a password (some profiles might be
meant for devices with a preprogrammed common password, where the
individiual user check list is doing the actual authentication based
on e.g. Calling-Station-Id)
and also some wishes:
- profile1 should be both a valid username and profile name, where
the user very well could be mapped to profile2
- looking up the username in the radusergroup table is pointless, so
it should be avoided
- in particular, looking up a username not found in radcheck or which
failed the radcheck items should be avoided. It is guaranteed to be
pointless if the requirement above is fulfilled.
I think I can meet my requirement without any code changes by adding a
check item like this to every group referenced by profilename:
User-Name != profilename
(maybe think a bit about case sensitivity here - doing case sensitive
lookups in the radusergroup table would solve that)
But AFAICS, my wishlist items would need a code change. My suggestion
would be something like this, of course defaulting to the existing
behaviour (concept for discussion only - not even build tested):
diff --git a/raddb/sql.conf b/raddb/sql.conf
index 690c3a2..631e7b5 100644
--- a/raddb/sql.conf
+++ b/raddb/sql.conf
@@ -66,6 +66,10 @@ sql {
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply
table
# read_groups = yes
+ # If set to 'yes' then only the User-Profile is looked up in the
usergroup table
+ # If set to 'no' (default) then we lookup the username first
+ # user_profile_only
rlm_sql: usergroup lookup if User-Profile is defined
Hello, I am wondering if I'm the only one who finds the following default behaviour a bit confusing: Given a user defined like this: user1 Cleartext-Password := foo, User-Profile := profile1 I would expect profile1 to always be looked up in the the usergroup table for this user. However, this won't happen if user1 is defined in that table without Fall-Through. rlm_sql will lookup user1 first and only lookup profile1 if either user1 is not found or Fall-Through is set vy the user1 groups. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Hi All, I have a few problem. i have freeradius version 1.0.5 running with rlm_sql. radcheck : username, attribute, op, value test1,password,==,testpass test2,password,==,testpass radreply : none radusergroup : test1,HS1 test2,HS2 test2,HS1 radgroupcheck : groupname, attribute, op, value HS1,Called-Station-Id,==,device1 HS2,Called-Station-Id,==,device2 radgroupreply : groupname, attribute, op, value,prio HS1,Framed-Pool,=,pool1,0 HS2,Framed-Pool,=,pool2,0 the problem is user test1 and test2 can connect and get pool1 but user test2 can't connect and can't get pool2 i already use Fall-Through = Yes in radreply and radgroupreply, but it still not work. when i use freeradius 2.1.1, that setting is work. Does freeradius 1.0.5 doesn't support multiple group or something wrong with my setting? how many group that can be assigned to one user in freeradius 2.1.1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Many thanks... It is working now! :)
On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok [EMAIL PROTECTED] wrote:
Carlos Eduardo Tavares Terra wrote:
Sorry, but maybe I didn't understand how virtual servers really work.
raddb/sites-available/README
Each virtual server is a RADIUS server, just like in 1.x. The only
difference is that you don't need to run multiple processes to get
multiple server configurations.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys
i.e. in 1.x, you modified the SQL queries in the sql module
configuration, for each server. i.e. you were running TWO different
instances of the SQL module.
I think the problem is that you're trying to use only ONE instance of
the SQL module in 2.x. Instead, do this in the modules section:
sql sql1 {
... content from 1.x server1, INCLUDING queries
}
sql sql2 {
... content from 1.x server2, INCLUDING queries
}
Then, use sql1 in the virtual server for server1, and sql2 in the
virtual server for sql2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote:
Sorry, but maybe I didn't understand how virtual servers really work.
raddb/sites-available/README
Each virtual server is a RADIUS server, just like in 1.x. The only
difference is that you don't need to run multiple processes to get
multiple server configurations.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys
i.e. in 1.x, you modified the SQL queries in the sql module
configuration, for each server. i.e. you were running TWO different
instances of the SQL module.
I think the problem is that you're trying to use only ONE instance of
the SQL module in 2.x. Instead, do this in the modules section:
sql sql1 {
... content from 1.x server1, INCLUDING queries
}
sql sql2 {
... content from 1.x server2, INCLUDING queries
}
Then, use sql1 in the virtual server for server1, and sql2 in the
virtual server for sql2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work.
I have one big users base. The users can be in one or more groups.
User:John - Group:dialup
User:John - Group:broadband
User:Jack - Group:dialup
User:Jack - Group: hotspot
John and Jack are in my radcheck and radusergroup tables.
Username: John Username: Jack
Attribute: Password Attribute: Password
Op: := Op: :=
Value: crypt('test')Value: crypt('test2')
My nas clients are in database too.
nasname: 192.168.2.2nasname: 192.168.2.3
shortname: dialup-nas shortname: broadband-nas
type: cisco type: cisco
secret: secret-password secret: secret-password
server: dialup server: broadband
My problem is here:
expand: %{User-Name} - John
rlm_sql (sql): sql_set_user escaped user -- 'John'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'John' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'John' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'John' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): User found in group dialup
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
John is connecting through broadband-nas, but freeradius is getting
dialup groupname and all its checks and replys.
Dialup and broadband has the same priority in radusergroup table.
I wish to 'force' something like 'dialup-nas'-'dialup group',
'broadband-nas'-'broadband group'.
Maybe I'm going through the wrong way.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys to get
only replys and checks for respectives groups (services).
How is the 'right' way to implement this scenario with freeradius 2?
Thank you for the help.
2008/9/6 [EMAIL PROTECTED]:
No. You define virtual home servers in proxy.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED]
piše:
Can I associate in groupcheck a groupname with a virtual server?
I have separated each type of services into different virtual servers,
because each one of then has different modules.
Thanks
On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote:
Radgroupcheck table.
Ivan Kalik
Kalik Informatika ISP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Eduardo Tavares Terra
Sent: 05 September 2008 02:42
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users,
I have a special scenario. Today I have many freeradius servers, each
one responsible for differente services.
Now I want to group this freeradius servers into one master server, but I
have users in many differente usergroups (one for each service).
How can I associate an usergroup to a nas?
Example:
NAS (192.168.2.1) - Usergroup (Dialup)
NAS (192.168.2.2) - Usergroup (Broadband)
NAS (192.168.2.3) - Usergroup (Hotspot)
I saw how to do this using huntgroups, but I want to use a mysql database
with all clients.
There are another ways to implement this different services into one
radius server, maybe the right way? If not, how can I associate the
usergroups and nas using mysql?
Thank you
--
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04
18:54
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED] piše: Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius2 + MySQL: NAS x Usergroup
Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas / usergroup?
Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrònic és confidencial, personal i intransferible, i només està dirigida a l'adreça(ces) indicada(des). Si vostè llegeix aquest missatge per error, l'informem que n'està prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Gràcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas / usergroup?
Use huntgroups to group access servers. Then use Huntgroup-Name in radgroupcheck to restrict access. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, Genis Pujol Hamelink [EMAIL PROTECTED] piše: Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrňnic és confidencial, personal i intransferible, i només estŕ dirigida a l'adreça(ces) indicada(des). Si vostč llegeix aquest missatge per error, l'informem que n'estŕ prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Grŕcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usergroup
Ive recently configured freeradius with sql support. I have it doing all the lookups fine. I was wondering thou, if there was any way to have radius use a default group, rather then having to create a second entry in the usergroup table. Were simply using radius for authentication purposes, and no static ip or other info would need to be provided to radius. Thanks, Craig
