Huntgroup Checking

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Huntgroup Checking

simonm123
Am new to freeradius but have it mainly set up just fine. It's a fantastic tool and I'm enjoying using it :)

Just one thing I'm struggling with is the huntgroups. I've followed the wiki to the letter and can see the server checking in the debug log.

What I basically want to do is restrict users to certain networks, as per the wiki. If their huntgroup-name matches their huntgroup based on nasip, they can get online, otherwise they're rejected.

I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.

In my radhuntgroup table, I have the nasip and groupname = NetworkA

Then, in the authorize section of my default host, I put:

update request {
    Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
}

if (Huntgroup-Name == ''){
reject
}

All as per the tutorial

In my debug log, if there is no match by IP, Huntgroup-Name is blank and the user is rejected.

However, if the nasip address match but the name is different, the user is still allowed on.

Do I need a more advanced query in the if section and if so,could you please advise what it should be

Simon
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

Alan DeKok-2
simonm123 wrote:
> Am new to freeradius but have it mainly set up just fine. It's a fantastic
> tool and I'm enjoying using it :)

  That's good to hear.

> Just one thing I'm struggling with is the huntgroups. I've followed the wiki
> to the letter and can see the server checking in the debug log.
>
> What I basically want to do is restrict users to certain networks, as per
> the wiki. If their huntgroup-name matches their huntgroup based on nasip,
> they can get online, otherwise they're rejected.

  OK...

> I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.

  Use "==".  It does comparisons.

> In my radhuntgroup table, I have the nasip and groupname = NetworkA
>
> Then, in the authorize section of my default host, I put:
>
> update request {
>     Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
> nasipaddress='%{NAS-IP-Address}'}"
> }

  No, that won't work.  The huntgroups are defined by the "huntgroups"
file.  You can't change them like you're trying to do.

  Instead, use another attribute.  Invent one.  See raddb/dictionary.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

simonm123
I meant Huntgroup-Name == NetworkA in my radgroupcheck table. I'm not using the huntgroups file - they're all in my db.

The wiki suggests using the query below restrict access per network. If that query below is not going to work, it's a little misleading. Or is it just incomplete?




On 30 Oct 2011, at 17:03, Alan DeKok wrote:

simonm123 wrote:
Am new to freeradius but have it mainly set up just fine. It's a fantastic
tool and I'm enjoying using it :)

 That's good to hear.

Just one thing I'm struggling with is the huntgroups. I've followed the wiki
to the letter and can see the server checking in the debug log.

What I basically want to do is restrict users to certain networks, as per
the wiki. If their huntgroup-name matches their huntgroup based on nasip,
they can get online, otherwise they're rejected.

 OK...

I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.

 Use "==".  It does comparisons.

In my radhuntgroup table, I have the nasip and groupname = NetworkA

Then, in the authorize section of my default host, I put:

update request {
   Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
nasipaddress='%{NAS-IP-Address}'}"
}

 No, that won't work.  The huntgroups are defined by the "huntgroups"
file.  You can't change them like you're trying to do.

 Instead, use another attribute.  Invent one.  See raddb/dictionary.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

simonm123
In reply to this post by Alan DeKok-2
On further investigation, I can see that the check works just fine if the attribute huntgroup-name == xxxxxxx is added to radcheck

For what reason can't we add to radgroupcheck?

What's the logic required to modify so we can restrict on a group level?


On 30 Oct 2011, at 17:03, Alan DeKok wrote:

simonm123 wrote:
Am new to freeradius but have it mainly set up just fine. It's a fantastic
tool and I'm enjoying using it :)

 That's good to hear.

Just one thing I'm struggling with is the huntgroups. I've followed the wiki
to the letter and can see the server checking in the debug log.

What I basically want to do is restrict users to certain networks, as per
the wiki. If their huntgroup-name matches their huntgroup based on nasip,
they can get online, otherwise they're rejected.

 OK...

I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.

 Use "==".  It does comparisons.

In my radhuntgroup table, I have the nasip and groupname = NetworkA

Then, in the authorize section of my default host, I put:

update request {
   Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
nasipaddress='%{NAS-IP-Address}'}"
}

 No, that won't work.  The huntgroups are defined by the "huntgroups"
file.  You can't change them like you're trying to do.

 Instead, use another attribute.  Invent one.  See raddb/dictionary.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

simonm123
Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level?

Thanks
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

Ben West-2
You may need to inspect whether the groupcheck query in
mysql/dailup.conf (if you are using MySQL) looks in the huntgroup
table.

For example, this is the default query in my copy of freeRADIUS
provided by Debian:

        authorize_group_check_query = "SELECT id, groupname, attribute, \
          Value, op \
          FROM ${groupcheck_table} \
          WHERE groupname = '%{Sql-Group}' \
          ORDER BY id"

Try modifying it as such:

        authorize_group_check_query = "SELECT id, groupname, attribute, \
          value, op \
          FROM ${groupcheck_table} \
          WHERE ( groupname = '%{Sql-Group}' \
          OR groupname = '%{Huntgroup-Name}' ) \
          ORDER BY id"


On Wed, Nov 2, 2011 at 9:07 AM, simonm123 <[hidden email]> wrote:

> Can anyone tell me if hungroup checking can be made to work on the group
> level, not just the user level?
>
> Thanks
>
> --
> View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



--
Ben West
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Huntgroup Checking

Lorenzo Milesi-2
I'm having the very same issue, and can't understand why.

If the Huntgroup-Name value is in radcheck the limitation is done correctly, but it is not when the Huntgroup-Name is in radgroupcheck, while the example here [1] is exactly with radgroupcheck.
The proposed change doesn't work, also because it's not relevant.
As per the example in the url:
example user is in group site_a_admins (radusergroup)
site_a is in radhuntgroup
have in radgroupcheck:
site_a_admins Huntgroup-Name == site_a

access is allowed anywhere.
If you move the check in radcheck, like:
example user Huntgroup-Name == site_a
then the check is performed correctly.

The proposed modification to the group check query just adds huntgroup's properties to the request.


thanks

[1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO

----- Messaggio originale -----

> Da: "Ben West" <[hidden email]>
> A: "FreeRadius users mailing list" <[hidden email]>
> Inviato: Mercoledì, 2 novembre 2011 15:22:25
> Oggetto: Huntgroup Checking
>
> You may need to inspect whether the groupcheck query in
> mysql/dailup.conf (if you are using MySQL) looks in the huntgroup
> table.
>
> For example, this is the default query in my copy of freeRADIUS
> provided by Debian:
>
>         authorize_group_check_query = "SELECT id, groupname, attribute, \
>           Value, op \
>           FROM ${groupcheck_table} \
>           WHERE groupname = '%{Sql-Group}' \
>           ORDER BY id"
>
> Try modifying it as such:
>
>         authorize_group_check_query = "SELECT id, groupname, attribute, \
>           value, op \
>           FROM ${groupcheck_table} \
>           WHERE ( groupname = '%{Sql-Group}' \
>           OR groupname = '%{Huntgroup-Name}' ) \
>           ORDER BY id"
>
>
> On Wed, Nov 2, 2011 at 9:07 AM, simonm123 <[hidden email]> wrote:
> > Can anyone tell me if hungroup checking can be made to work on the group
> > level, not just the user level?
> >
> > Thanks
> >
> > --
> > View this message in context:
> > http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html
> > Sent from the FreeRadius - User mailing list archive at Nabble.com.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
> --
> Ben West
> [hidden email]
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>

--

--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html