Freeradius: Assign Group to User based on Nas-IP-Address

Question

I wonder if anyone can help me.

The goal is to assign different users different ip address based on the AP they connect to. I cannot statically set this as users will travel and end up connecting via a different ap.

So i wanted to do a check to see if i can match the nas ip and then assign that user to a group, which in turn, the group will allocate the correct IP Pool.

I've done quite abit of research and its seems to be as simple as adding it to the radgroupcheck table. Like such:

 id | groupname |   attribute    |   value    | op 
----+-----------+----------------+------------+----
  1 | Group1    | Nas-IP-Address | x.x.x.x    | ==
  4 | Group1    | Pool-Name      | POOL1      | :=

However in the radius -X i do no even see it attempting to check the group.

It seems to check the radusergroup table, but there is nothing in there due to the fact i need to set the user group dynamically based on location.

Any help would be appreciated.

Thanks

Rob

score 3 · Answer 1 · answered Feb 10 '14 at 09:58

3

I think you should be able to use NAS Huntgroups to do what you're attempting to do,

Following the example, create the table:

CREATE TABLE radhuntgroup (
    id int(11) unsigned NOT NULL auto_increment,
    groupname varchar(64) NOT NULL default '',
    nasipaddress varchar(15) NOT NULL default '',
    nasportid varchar(15) default NULL,
    PRIMARY KEY  (id),
    KEY nasipaddress (nasipaddress)
) ;

Add in your NAS addresses:

INSERT INTO radhuntgroup (groupname, nasipaddress) VALUES ("Nas_1", "192.168.0.10"); INSERT INTO radhuntgroup (groupname, nasipaddress) VALUES ("Nas_2", "192.168.1.10");

Then in the authorize {} section, you'd add this code:

{ Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" }

You can then add in lines in the radgroupcheck table to check other values (if needed), or just the radgroupreply table where you can assign them a specific pool..

answered Feb 10 '14 at 09:58

NickW

10,183
1
18
26

Awesome thanks, let me give it a shot, will revert shortly. – Rob Feb 10 '14 at 11:03
Ok still not winning, followed the guide and it still ignores the check. Am i missing something in my config to enable huntgroups? – Rob Feb 10 '14 at 12:14
What are you trying to do with the check exactly? – NickW Feb 10 '14 at 12:16
Pretty much the exact as you have above. Get nas ip and assign an ip to that user based on nas ip. Problem is the radiusd -X doesnt even show the huntgroup lookup – Rob Feb 10 '14 at 12:18
I also tried to remove the other info in the file modules/preprocess. didnt help either – Rob Feb 10 '14 at 12:19
Very interesting, where was the `authorize {}` section you updated located? – NickW Feb 10 '14 at 12:39
site-enabled/default. I got an alternative plan. I see it always tries to look for the group under radusergroup. So im editing the group_membership_query in the dialup.conf to the `SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}`. Seems to work. problem is now the thing wont look in the radgroupreply table to get the ip pool.... – Rob Feb 10 '14 at 12:44
I made a mistake up top , supposedly the pool name should be a CONTROL attribute, which means it goes in the radgroupcheck table, not the radgroupreply! I'll change it soon.. – NickW Feb 10 '14 at 13:08
So in the radgroupcheck i should have `ZA_AP_CC |Pool-Name | ZA_IP_POOL | :=` in the order of groupname, attribute,value,op. So i guess the next problem lies with my sqlippool.conf – Rob Feb 10 '14 at 13:11
is there a place i can paste my debug, for you to have a look though perhaps it will speed up this process. I think pasting it here would be abit much – Rob Feb 10 '14 at 13:19
Maybe pastebin.. – NickW Feb 10 '14 at 13:25
I think your syntax is fine for the radgroupcheck. – NickW Feb 10 '14 at 13:26
Sorry its alot of reading. Notice it picks up 3 attributes in the radgroupcheck, never attempts a radgroupreply (not a problem), but when it gets to ippool section it stats `[sqlippool] No Pool-Name defined` – Rob Feb 10 '14 at 13:36
I do see the authorize section adding in the huntgroups, then this further down: `rlm_sql (sql): Read entry nasname=Buffalo,shortname=HO wifi,secret=************* rlm_sql (sql): Failed to look up hostname Buffalo: ip_hton: Name or service not known` – NickW Feb 10 '14 at 13:42
Sorry delete the link as it did seem like a great idea to leave that info avaiable. Note im not using huntgroups. I change the group lookup to that sql string as i couldnt get the huntgroup to work. Have a look at line 555, its shows you where it gets the group name, but further down it show no ippool – Rob Feb 10 '14 at 13:49
I've still got it open, so it's useful for me at least :) You do have the ippool table with values in it, correct? If you want it to get the pool name, we have to assign it the `Pool-Name` attribute.. maybe in the authroize section, replace the HuntGroup bit with this: `{ Pool-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" }` I don't think this is what we need, but obviously, we need to assign that Pool name.. – NickW Feb 10 '14 at 14:07
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/12954/discussion-between-nickw-and-rob) – NickW Feb 10 '14 at 14:07
Here is something really odd. If i add Pool-Name directly to the radcheck table, and i connect via the nas, the pool never gets set. But if i do a radtest directly on the server, the ip get allocated. Really Odd... – Rob Feb 10 '14 at 14:07
Ok After much hacking i got this thing to work. Im going to add a separate answer, but you deserve the rep. Thanks for the help. – Rob Feb 11 '14 at 07:33

score 0 · Accepted Answer · answered Feb 11 '14 at 07:50

The Answer by NickW, should in theory work. However for some reason it worked using a radtest but failed when i authed via the AP. I am using EAP, so wpa2-enterpise with a signed cert. ( I followed this guide, note that im using a centos server not ubuntu )

I ended up going into my site-enabled/default, in the post-auth section i added this before my sqlippool.

update control {
                Pool-Name := "%{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'}"
    }

My table layout is standard, i added the radhuntgroup as sugested by NickW, then match that to my radgroupcheck table, like such

radhuntgroup:

 id |  groupname   | nasipaddress | nasportid 
----+--------------+--------------+-----------
  1 | South Africa | 10.xx.xx.xx  | 
  2 | Mozambique   | 10.xx.xx.xx  |

radgroupcheck:

 id |  groupname   | attribute | op |   value    
----+--------------+-----------+----+------------
  4 | South Africa | Pool-Name | := | ZA_IP_POOL
  7 | Mozambique   | Pool-Name | := | MZ_IP_POOL

So the result in my radiusd -X is as follows

# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
sql_xlat
    expand: %{User-Name} -> robert@test
sql_set_user escaped user --> 'robert@test'
    expand: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}' -> select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
    expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
    expand: %{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'} -> ZA_IP_POOL
++[control] returns noop
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool]     expand: %{User-Name} -> robert@test
[sqlippool] sql_set_user escaped user --> 'robert@test'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION
rlm_sql_postgresql: query: START TRANSACTION
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 0
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '%{NAS-IP-Address}'   AND pool_key = '%{NAS-Port}' -> UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool]     expand: SELECT framedipaddress FROM radippool   WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> '%{SQL-User-Name}'),   (callingstationid <> '%{Calling-Station-Id}'), expiry_time   LIMIT 1   FOR UPDATE -> SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: query: SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}',   callingstationid = '%{Calling-Station-Id}', username = '%{SQL-User-Name}',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111' -> UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool] Allocated IP 10.53.0.111 [6f00350a]
[sqlippool]     expand: COMMIT -> COMMIT

I hope this info can help someone else going through the same struggle i went through.

That was something similar to what I was going to suggest. Glad you found the road :) — NickW, Feb 11 '14 at 09:13

Freeradius: Assign Group to User based on Nas-IP-Address

2 Answers2