Re: [Help-gnu-radius] Changing auth based on client

help-gnu-radius

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Changing auth based on client

From:	Gerald
Subject:	Re: [Help-gnu-radius] Changing auth based on client
Date:	Tue, 30 Mar 2004 12:18:34 -0500 (EST)

On Mon, 29 Mar 2004, Charles Sprickman wrote:

> After going through the manual, I'm wondering if the following is
> possible...  I need to generate a different SQL query based on which
> client connects to the radius server.  As an example, I'll say we have
> three main groups of clients:
>
> -local users hitting our POPs
> -remote users that get proxied to us
> -any user using an outsourced news provider that proxies to us

Filters or scripts is how you have to do it currently I believe.
Sergey is much more familiar with the code and could better tell you how
far away from a reality that is in the development. (I would like more SQL
flexibility in sqlserver file but I know it can easily add to the bloat of
a simple query and I prefer to build my changes in to the database
itself.)

Filters:
http://www.gnu.org/software/radius/manual/html_mono/radius.html#SEC178
Exec-Program-Wait:
http://www.gnu.org/software/radius/manual/html_mono/radius.html#SEC289

Sergey has been modifying the sqlserver file in CVS to do more multiple
login checking using the database entries, but I haven't seen any changes
to the auth_query that make it easy to do what you are looking for.

> In the existing SQL table, there are many additional fields, including
> "dial_enabled", "roaming_enabled", and "news_enabled" that contain either
> "Y" or "N".
>
> So for local users, I need to have the query do a "AND dial_enabled='Y'",
> for news "AND news_enabled='Y'", etc.  Looking at rewrite, it doesn't seem
> there's anything there to alter SQL queries...

If you know what servers are going to be requesting this information you
could include that in the query in the attrib database information.

user_name       attr            value           op
jsmith          NAS-IP-Address  10.10.10.1

This will only allow jsmith to authenticate if his query comes from
10.10.10.1.

mysql -e 'SELECT username FROM tablename WHERE dial_enabled="Y";' \
databasename >> newattrib.sql
vi newattrib.sql
:%s/ | // # and other cleanup until you have just a list of those
usernames...
:%s/^/INSERT INTO attrib_table VALUES ('/
:%s/$/','NAS-IP-Address','x.x.x.x',NULL);/
mysql -u blah attrib_db <newattrib.sql

repeat for news and whatever else has custom NAS addresses and be done
with it. 30 minutes of work and you are back down to only a few mysql
queries per login instead of doubling or tripling your queries.

In the grand scheme of things customization fits better in attrib database
or in the mysql database itself as opposed to making multiple
auth_queries. I know due to older or inherited databases a few people
would like to just drop it in and make 100 queries to 100 different
database from radius to go hunting for the user, but from an operational
perspective I don't think that is the most efficient radius setup when
mysqldump + vi can allow you to make a new database in the proper format
(on the same mysql server even.)

Gerald

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnu-radius] Changing auth based on client, Charles Sprickman, 2004/03/29
- Re: [Help-gnu-radius] Changing auth based on client, Gerald <=

Prev by Date: [Help-gnu-radius] Changing auth based on client
Next by Date: [Help-gnu-radius] Reply attributes using mysql auth
Previous by thread: [Help-gnu-radius] Changing auth based on client
Next by thread: [Help-gnu-radius] Reply attributes using mysql auth
Index(es):
- Date
- Thread