Grant access to a groups of users to a determinated subnets

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

Grant access to a groups of users to a determinated subnets

Users mailing list

  Hi all, sorry for bother again, i like to grant access to a groups of users to a determinated subnets. For example:
In clients:
client 192.168.0.0/16 {        ipaddr          = 192.168.0.0/16        shortname       = LAN        secret          = ****}
In users:
test003 Crypt-Password := "$1$Z71rzgee$ZIJbcaMDyHtUtKN/", Huntgroup-Name == gNetworking, Huntgroup-Name == Servers        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test003",
(user: test003 belong to two huntgroups)
In huntgroups:Servers   NAS-IP-Address =~ "/^172\.16\.0\.(1?\d\d?|2[0-4]\d|25[0-5])$/" 
gNetworking        NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/
Trying also (gNetworking        NAS-IP-Address =~ "/^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/")Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]))
Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]), NAS-Group := "networking")
I get this error "Parse error (check) for entry gNetworking: Expected end of line or comma", or not work anyway
Using this to verify the regex: https://regex101.com/
Following this thread: http://freeradius.1045715.n5.nabble.com/Matching-a-value-within-an-IP-subnet-td3216040.html
Using:FreeRADIUS Version 3.0.4
Any idea? Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Alan DeKok-2
On Jan 27, 2020, at 8:37 AM, Condor via Freeradius-Users <[hidden email]> wrote:
>
>   Hi all, sorry for bother again, i like to grant access to a groups of users to a determinated subnets. For example:
>
> In huntgroups:Servers   NAS-IP-Address =~ "/^172\.16\.0\.(1?\d\d?|2[0-4]\d|25[0-5])$/"
> gNetworking        NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/

  v3 doesn't support regular expressions in hunt groups.  Write a policy in "unlang", in sites-enabled/default

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
In reply to this post by Users mailing list
  Sorry for ask again, there is an alternative to hunt group regex for subnet? unlang is possible maybe, but i don't understand how to use it. Someone could please point me some example
Thanks!

    On Tuesday, January 28, 2020, 08:41:50 AM GMT-3, Condor <[hidden email]> wrote:  
 
    Hi all, sorry for bother again, i like to grant access to a groups of users to a determinated subnets. For example:
In clients:
client 192.168.0.0/16 {        ipaddr          = 192.168.0.0/16        shortname       = LAN        secret          = ****}
In users:
test003 Crypt-Password := "$1$Z71rzgee$ZIJbcaMDyHtUtKN/", Huntgroup-Name == gNetworking, Huntgroup-Name == Servers        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test003",
(user: test003 belong to two huntgroups)
In huntgroups:Servers   NAS-IP-Address =~ "/^172\.16\.0\.(1?\d\d?|2[0-4]\d|25[0-5])$/" 
gNetworking        NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/
Trying also (gNetworking        NAS-IP-Address =~ "/^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/")Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]))
Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]), NAS-Group := "networking")
I get this error "Parse error (check) for entry gNetworking: Expected end of line or comma", or not work anyway
Using this to verify the regex: https://regex101.com/
Following this thread: http://freeradius.1045715.n5.nabble.com/Matching-a-value-within-an-IP-subnet-td3216040.html
Using:FreeRADIUS Version 3.0.4
Any idea? Thanks!


    On Monday, January 27, 2020, 10:38:12 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote:  
 
 
  Hi all, sorry for bother again, i like to grant access to a groups of users to a determinated subnets. For example:
In clients:
client 192.168.0.0/16 {        ipaddr          = 192.168.0.0/16        shortname       = LAN        secret          = ****}
In users:
test003 Crypt-Password := "$1$Z71rzgee$ZIJbcaMDyHtUtKN/", Huntgroup-Name == gNetworking, Huntgroup-Name == Servers        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test003",
(user: test003 belong to two huntgroups)
In huntgroups:Servers   NAS-IP-Address =~ "/^172\.16\.0\.(1?\d\d?|2[0-4]\d|25[0-5])$/" 
gNetworking        NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/
Trying also (gNetworking        NAS-IP-Address =~ "/^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/")Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]))
Trying also (gNetworking        NAS-IP-Address =~ ^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5]), NAS-Group := "networking")
I get this error "Parse error (check) for entry gNetworking: Expected end of line or comma", or not work anyway
Using this to verify the regex: https://regex101.com/
Following this thread: http://freeradius.1045715.n5.nabble.com/Matching-a-value-within-an-IP-subnet-td3216040.html
Using:FreeRADIUS Version 3.0.4
Any idea? Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Matthew Newton-3
On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>   Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
 Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <[hidden email]> wrote:
 
 
 On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
 One thing fixed: if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16) 

instead:
if (&NAS-IP-Address < 192.168.0.0/16) 

In radiusd -X if (<ipv4prefix>&NAS-IP-Address == 192.168.0.0/16)  -> FALSE
Any idea?Thanks!
    On Monday, February 3, 2020, 10:04:36 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote:  
 
  Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <[hidden email]> wrote:
 
 
 On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
 Same thing with "<"  if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE
 
    On Monday, February 3, 2020, 10:41:35 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote:  
 
  One thing fixed: if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16) 

instead:
if (&NAS-IP-Address < 192.168.0.0/16) 

In radiusd -X if (<ipv4prefix>&NAS-IP-Address == 192.168.0.0/16)  -> FALSE
Any idea?Thanks!
    On Monday, February 3, 2020, 10:04:36 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote: 
 
  Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <[hidden email]> wrote:
 
 
 On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Alan DeKok-2
In reply to this post by Users mailing list


> On Feb 3, 2020, at 8:04 AM, Condor via Freeradius-Users <[hidden email]> wrote:
>
> Hi Matthew, thanks for help,
> users:
> test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",


  That doesn't make sense.  You shouldn't set *both* a password, *and* Auth-Type.  Just delete 'Auth-Type := system'

> huntgroup : nothing
> I put theses lines on sites-available/default in section "authorize":
>
>         if (&NAS-IP-Address < 192.168.0.0/16) {  

  Use:

        if (<ipv4prefix> &NAS-IP-Address < 192.168.0.0/16) {

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
In reply to this post by Users mailing list
 Now if i do this:
    (0)    if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE 
        (NAS-IP-Address=192.168.212.250)
But, if i do this:
    if (<ipv4prefix>192.168.212.250 < 192.168.0.0/16)  -> TRUE

in sites-available/default
autorize part:
       if (<ipaddr>"192.168.212.254" < 192.168.208.0/24) {          update control {            &Huntgroup-Name == "gtest003"                }       }
In users
test003 Crypt-Password := "$1$jwGqjrOP$zLsB3uUlLsTx2wG.bj7uD0", Huntgroup-Name == gtest003        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello test003",
In huntgroup: Nothing
Radius -X (brief)
(0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16) (0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  -> TRUE(0)   if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  {(0)    update control {(0)  &Huntgroup-Name = 'gtest003'(0)    } # update control = noop(0)   } # if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  = noop(0)   [chap] = noop(0)   [mschap] = noop(0)   [digest] = noop(0)  suffix : Checking for suffix after "@"(0)  suffix : No '@' in User-Name = "test003", looking up realm NULL(0)  suffix : No such realm "NULL"(0)   [suffix] = noop(0)  eap : No EAP-Message, not doing EAP(0)   [eap] = noop(0)   [files] = noop(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type(0)  WARNING: pap : Authentication will fail unless a "known good" password is available

What i doing wrong?There is a easy way to match groups of NAS-address (subnets or list) matched with users? try huntgroups (with regex) and unlang (that piece of code)
Please throw me a rope, 
thanks!

    On Monday, February 3, 2020, 10:44:56 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote:  
 
  Same thing with "<"  if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE
 
    On Monday, February 3, 2020, 10:41:35 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote: 
 
  One thing fixed: if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16) 

instead:
if (&NAS-IP-Address < 192.168.0.0/16) 

In radiusd -X if (<ipv4prefix>&NAS-IP-Address == 192.168.0.0/16)  -> FALSE
Any idea?Thanks!
    On Monday, February 3, 2020, 10:04:36 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote: 
 
  Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <[hidden email]> wrote:
 
 
 On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Matthew Newton-3
On Tue, 2020-02-04 at 12:44 +0000, Condor via Freeradius-Users wrote:
>  Now if i do this:
>     (0)    if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  ->
> FALSE
>         (NAS-IP-Address=192.168.212.250)
> But, if i do this:
>     if (<ipv4prefix>192.168.212.250 < 192.168.0.0/16)  -> TRUE

Can you send plaintext e-mail, rather than the mangled up HTML version.


It works fine in the latest version:

if (&NAS-IP-Address < 192.168.0.0/24) {
  update reply {
    Reply-Message += "in 192"
  }
}

if (&NAS-IP-Address < 127.0.0.0/8) {
  update reply {
    Reply-Message += "in 127"
  }
}


$ radtest bob test 127.0.0.1 0 testing123
Sent Access-Request Id 188 from 0.0.0.0:35671 to 127.0.0.1:1812 length
73
        User-Name = "bob"
        User-Password = "test"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "test"
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:35671
length 28
        Reply-Message = "in 127"


(0)     if (&NAS-IP-Address < 192.168.0.0/24) {
(0)     if (&NAS-IP-Address < 192.168.0.0/24)  -> FALSE
(0)     if (&NAS-IP-Address < 127.0.0.0/8) {
(0)     if (&NAS-IP-Address < 127.0.0.0/8)  -> TRUE
(0)     if (&NAS-IP-Address < 127.0.0.0/8)  {
(0)       update reply {
(0)         Reply-Message += "in 127"
(0)       } # update reply = noop
(0)     } # if (&NAS-IP-Address < 127.0.0.0/8)  = noop


What version of FreeRADIUS are you running? You probably need to
upgrade.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Fw: Grant access to a groups of users to a determinated subnets

Users mailing list
In reply to this post by Users mailing list
Sorry here is in plain text i guest (i seeing right) 


----- Forwarded Message -----

From: Condor <[hidden email]>
To: FreeRadius users mailing list <[hidden email]>; Matthew Newton <[hidden email]>
Sent: Tuesday, February 4, 2020, 09:44:32 AM GMT-3
Subject: Re: Grant access to a groups of users to a determinated subnets




Now if i do this:

    (0)    if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE 
        (NAS-IP-Address=192.168.212.250)

But, if i do this:
    if (<ipv4prefix>192.168.212.250 < 192.168.0.0/16)  -> TRUE

in sites-available/default

autorize part:

       if (<ipaddr>"192.168.212.254" < 192.168.208.0/24) {
          update control {
            &Huntgroup-Name == "gtest003"
                }
       }

In users

test003 Crypt-Password := "$1$jwGqjrOP$zLsB3uUlLsTx2wG.bj7uD0", Huntgroup-Name == gtest003
        Auth-Type = System,
        Service-Type = Login,
        Reply-Message = "Hello test003",

In huntgroup: Nothing

Radius -X (brief)

(0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16) 
(0)    if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  -> TRUE
(0)   if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  {
(0)    update control {
(0)  &Huntgroup-Name = 'gtest003'
(0)    } # update control = noop
(0)   } # if (<ipv4prefix>192.168.212.254 < 192.168.0.0/16)  = noop
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "test003", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)   [files] = noop
(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(0)  WARNING: pap : Authentication will fail unless a "known good" password is available


What i doing wrong?
There is a easy way to match groups of NAS-address (subnets or list) matched with users? try huntgroups (with regex) and unlang (that piece of code)

Please throw me a rope, 

thanks!





On Monday, February 3, 2020, 10:44:56 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote:





Same thing with "<"  if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  -> FALSE
 
    On Monday, February 3, 2020, 10:41:35 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote: 

  One thing fixed: if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16) 

instead:
if (&NAS-IP-Address < 192.168.0.0/16) 

In radiusd -X if (<ipv4prefix>&NAS-IP-Address == 192.168.0.0/16)  -> FALSE
Any idea?Thanks!
    On Monday, February 3, 2020, 10:04:36 AM GMT-3, Condor via Freeradius-Users <[hidden email]> wrote: 

  Hi Matthew, thanks for help, 
users:
test003 Crypt-Password := "$1$Z71ee$Z62hAIPIJbcaMDyHtUN/", Huntgroup-Name == gNetworking        Auth-Type = System,        Service-Type = Login,        Reply-Message = "Hello Test001",
huntgroup : nothing
I put theses lines on sites-available/default in section "authorize":

        if (&NAS-IP-Address < 192.168.0.0/16) {          update control {            &Huntgroup-Name == "gNetworking"                }        }
When i try to execute : Radiusd -X get this:  
/etc/raddb/sites-enabled/default[273]: Parse error in condition        if (&NAS-IP-Address < 192.168.0.0/16) {                              ^ Failed to parse value for attributeErrors reading or parsing /etc/raddb/radiusd.conf
Thanks !
On Wednesday, January 29, 2020, 11:15:16 AM GMT-3, Matthew Newton <[hidden email]> wrote:


On Wed, 2020-01-29 at 14:06 +0000, Condor via Freeradius-Users wrote:
>  Sorry for ask again, there is an alternative to hunt group regex
> for subnet? unlang is possible maybe, but i don't understand how to
> use it. Someone could please point me some example

https://freeradius.org/radiusd/man/unlang.html

if (&NAS-IP-Address =~ /^192\.168\.(1?\d\d?|2[0-4]\d|25[0-5])\.(1?\d\d?|2[0-4]\d|25[0-5])$/) {
  update control {
    &Huntgroup-Name == "gNetworking"
  }
}

You can also check if IPs are in a particular network - see the man
page. e.g.

if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
  ...
}

if (&NAS-IP-Address < 192.0.2.0/24) {
  ...
}


--
Matthew


 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Users mailing list
In reply to this post by Matthew Newton-3
Hi Matthew, i'm running FreeRADIUS Version 3.0.4 

Are you sure i need to update? 

Even if the "if" throw me "TRUE" not work either

Thanks!


On Tuesday, February 4, 2020, 10:04:25 AM GMT-3, Matthew Newton <[hidden email]> wrote:



On Tue, 2020-02-04 at 12:44 +0000, Condor via Freeradius-Users wrote:
>  Now if i do this:
>    (0)    if (<ipv4prefix>&NAS-IP-Address < 192.168.0.0/16)  ->
> FALSE
>        (NAS-IP-Address=192.168.212.250)
> But, if i do this:
>    if (<ipv4prefix>192.168.212.250 < 192.168.0.0/16)  -> TRUE

Can you send plaintext e-mail, rather than the mangled up HTML version.


It works fine in the latest version:

if (&NAS-IP-Address < 192.168.0.0/24) {
  update reply {
    Reply-Message += "in 192"
  }
}

if (&NAS-IP-Address < 127.0.0.0/8) {
  update reply {
    Reply-Message += "in 127"
  }
}


$ radtest bob test 127.0.0.1 0 testing123
Sent Access-Request Id 188 from 0.0.0.0:35671 to 127.0.0.1:1812 length
73
    User-Name = "bob"
    User-Password = "test"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "test"
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:35671
length 28
    Reply-Message = "in 127"


(0)    if (&NAS-IP-Address < 192.168.0.0/24) {
(0)    if (&NAS-IP-Address < 192.168.0.0/24)  -> FALSE
(0)    if (&NAS-IP-Address < 127.0.0.0/8) {
(0)    if (&NAS-IP-Address < 127.0.0.0/8)  -> TRUE
(0)    if (&NAS-IP-Address < 127.0.0.0/8)  {
(0)      update reply {
(0)        Reply-Message += "in 127"
(0)      } # update reply = noop
(0)    } # if (&NAS-IP-Address < 127.0.0.0/8)  = noop


What version of FreeRADIUS are you running? You probably need to
upgrade.


--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Grant access to a groups of users to a determinated subnets

Matthew Newton-3
On Tue, 2020-02-04 at 13:20 +0000, Condor via Freeradius-Users wrote:
> Hi Matthew, i'm running FreeRADIUS Version 3.0.4
>
> Are you sure i need to update?

Yes, that's ancient.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html