Plan assignment based on nas and ugroups

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Plan assignment based on nas and ugroups

Ganga R. Dhungyel
Hello Community

I am running freeradius-3.0.13-10 with sql backend on centos to authenticate and authorize users based on group membership. Now a new requirement to assign vlan based on group AND nas has come up and I am not sure what is the best way to accomplish this. Need something like: If nas is xyz  and user belong to group A, then reply with vlan id 10, else if nas is abc and user belongs to group  A, reply with vlan 100, else  reply with vlan 200.

Is using huntgroup and groupcheck the  best way to accomplish this? If so, what all need modifications. Example would be great. If not, what would be a better solution considering that I am using realm sql.

My apologies if this has been answered before..browsed the list and really could not find the use case described.

Thank you.

--

Dhungyel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (3K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Plan assignment based on nas and ugroups

Alan DeKok-2
On Jun 25, 2020, at 1:07 PM, Ganga R. Dhungyel <[hidden email]> wrote:
> I am running freeradius-3.0.13-10 with sql backend on centos to authenticate and authorize users based on group membership. Now a new requirement to assign vlan based on group AND nas has come up and I am not sure what is the best way to accomplish this. Need something like: If nas is xyz  and user belong to group A, then reply with vlan id 10, else if nas is abc and user belongs to group  A, reply with vlan 100, else  reply with vlan 200.

  You can just do this in unlang statements.  If your users are in LDAP, just:

        if (NAS-IP-Address == 1.2.3.4 && LDAP-Group == "foo") {
                update reply {
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = IEEE-802,
                        Tunnel-Private-Group-Id = "10"
                }
        }

  etc.

> Is using huntgroup and groupcheck the  best way to accomplish this? If so, what all need modifications. Example would be great. If not, what would be a better solution considering that I am using realm sql.
>
> My apologies if this has been answered before..browsed the list and really could not find the use case described.

  We don't have documentation which says exactly how to do every possible thing. Instead, we document how the server works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Plan assignment based on nas and ugroups

Ganga R. Dhungyel
Thank you, Alan. Few more questions:

Should this be in the Authorize section of the configuration or the Post-Auth section?

Instead of evaluating. NAS-IP-Address, can we group the NASes in Huntgroups and use the Huntgroup value to do this since we using sql backend for both users and NASes? Tried this but when one user belongs to multiple groups, the group. Chosen is always the first one in the ordered list …it is as if the SQL-Group to Huntgroup-Name mapping in radgroupicheck table is not considered (Group checking is enabled). Maybe I am missing something. I read somewhere that a Fallback needs to be enabled for it to work but not sure if that is the case?

Thanks.


GRDhungyel


> On Jun 29, 2020, at 18:03, Alan DeKok <[hidden email]> wrote:
>
> On Jun 25, 2020, at 1:07 PM, Ganga R. Dhungyel <[hidden email]> wrote:
>> I am running freeradius-3.0.13-10 with sql backend on centos to authenticate and authorize users based on group membership. Now a new requirement to assign vlan based on group AND nas has come up and I am not sure what is the best way to accomplish this. Need something like: If nas is xyz  and user belong to group A, then reply with vlan id 10, else if nas is abc and user belongs to group  A, reply with vlan 100, else  reply with vlan 200.
>
>  You can just do this in unlang statements.  If your users are in LDAP, just:
>
> if (NAS-IP-Address == 1.2.3.4 && LDAP-Group == "foo") {
> update reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = "10"
> }
> }
>
>  etc.
>
>> Is using huntgroup and groupcheck the  best way to accomplish this? If so, what all need modifications. Example would be great. If not, what would be a better solution considering that I am using realm sql.
>>
>> My apologies if this has been answered before..browsed the list and really could not find the use case described.
>
>  We don't have documentation which says exactly how to do every possible thing. Instead, we document how the server works.
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (3K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Plan assignment based on nas and ugroups

Alan DeKok-2
On Jun 29, 2020, at 1:17 PM, Ganga R. Dhungyel <[hidden email]> wrote:\
> Should this be in the Authorize section of the configuration or the Post-Auth section?

  It doesn't really matter.  Whatever works.

> Instead of evaluating. NAS-IP-Address, can we group the NASes in Huntgroups and use the Huntgroup value to do this since we using sql backend for both users and NASes?

  Yes.

> Tried this but when one user belongs to multiple groups, the group. Chosen is always the first one in the ordered list …

  Yes, that's how group checking works.  If you tell it to match on a group, and the user is in that group... it matches on that group.

  If you want it to do something else, try different unlang statements.  Right now, you're saying "I tried stuff and it didn't work".  That's not helpful.

> it is as if the SQL-Group to Huntgroup-Name mapping in radgroupicheck table is not considered (Group checking is enabled). Maybe I am missing something. I read somewhere that a Fallback needs to be enabled for it to work but not sure if that is the case?

  It depends on what you want do to.

  Please read the SQL module documentation in http://wiki.freeradius.org/ .  It explains in great detail how the SQL module works.  There is no reason for me to repeat that explanation here.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html