Home / server / Questions / 573631
Accepted
Rob
Asked: 2014-02-07 04:05:00 +0800 CST

Freeradius: Assign Group to User based on Nas-IP-Address

  • 772

I wonder if anyone can help me.

The goal is to assign different users different ip address based on the AP they connect to. I cannot statically set this as users will travel and end up connecting via a different ap.

So i wanted to do a check to see if i can match the nas ip and then assign that user to a group, which in turn, the group will allocate the correct IP Pool.

I've done quite abit of research and its seems to be as simple as adding it to the radgroupcheck table. Like such:

 id | groupname |   attribute    |   value    | op 
----+-----------+----------------+------------+----
  1 | Group1    | Nas-IP-Address | x.x.x.x    | ==
  4 | Group1    | Pool-Name      | POOL1      | :=

However in the radius -X i do no even see it attempting to check the group.

It seems to check the radusergroup table, but there is nothing in there due to the fact i need to set the user group dynamically based on location.

Any help would be appreciated.

Thanks

Rob

linux

2 Answers

  1. I think you should be able to use NAS Huntgroups to do what you're attempting to do,

    Following the example, create the table:

    CREATE TABLE radhuntgroup (
    id int(11) unsigned NOT NULL auto_increment,
    groupname varchar(64) NOT NULL default '',
    nasipaddress varchar(15) NOT NULL default '',
    nasportid varchar(15) default NULL,
    PRIMARY KEY  (id),
    KEY nasipaddress (nasipaddress)
) ;

    Add in your NAS addresses:

    INSERT INTO radhuntgroup (groupname, nasipaddress) VALUES ("Nas_1", "192.168.0.10"); INSERT INTO radhuntgroup (groupname, nasipaddress) VALUES ("Nas_2", "192.168.1.10");

    Then in the authorize {} section, you'd add this code:

    { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" }

    You can then add in lines in the radgroupcheck table to check other values (if needed), or just the radgroupreply table where you can assign them a specific pool..

    • 3
  2. Best Answer

    The Answer by NickW, should in theory work. However for some reason it worked using a radtest but failed when i authed via the AP. I am using EAP, so wpa2-enterpise with a signed cert. ( I followed this guide, note that im using a centos server not ubuntu )

    I ended up going into my site-enabled/default, in the post-auth section i added this before my sqlippool.

    update control {
                Pool-Name := "%{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'}"
    }

    My table layout is standard, i added the radhuntgroup as sugested by NickW, then match that to my radgroupcheck table, like such

    radhuntgroup:

     id |  groupname   | nasipaddress | nasportid 
----+--------------+--------------+-----------
  1 | South Africa | 10.xx.xx.xx  | 
  2 | Mozambique   | 10.xx.xx.xx  |

    radgroupcheck:

     id |  groupname   | attribute | op |   value    
----+--------------+-----------+----+------------
  4 | South Africa | Pool-Name | := | ZA_IP_POOL
  7 | Mozambique   | Pool-Name | := | MZ_IP_POOL

    So the result in my radiusd -X is as follows

    # Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
sql_xlat
    expand: %{User-Name} -> robert@test
sql_set_user escaped user --> 'robert@test'
    expand: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}' -> select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
    expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
    expand: %{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'} -> ZA_IP_POOL
++[control] returns noop
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool]     expand: %{User-Name} -> robert@test
[sqlippool] sql_set_user escaped user --> 'robert@test'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION
rlm_sql_postgresql: query: START TRANSACTION
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 0
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '%{NAS-IP-Address}'   AND pool_key = '%{NAS-Port}' -> UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool]     expand: SELECT framedipaddress FROM radippool   WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> '%{SQL-User-Name}'),   (callingstationid <> '%{Calling-Station-Id}'), expiry_time   LIMIT 1   FOR UPDATE -> SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: query: SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}',   callingstationid = '%{Calling-Station-Id}', username = '%{SQL-User-Name}',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111' -> UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool] Allocated IP 10.53.0.111 [6f00350a]
[sqlippool]     expand: COMMIT -> COMMIT

    I hope this info can help someone else going through the same struggle i went through.

    • 0