Freeradius:根据 Nas-IP 地址将组分配给用户

Freeradius:根据 Nas-IP 地址将组分配给用户

我想知道是否有人可以帮助我。

目标是根据用户所连接的 AP 为不同的用户分配不同的 IP 地址。我无法静态地设置它,因为用户会移动并最终通过不同的 AP 进行连接。

所以我想检查一下我是否可以匹配 nas ip,然后将该用户分配给一个组,然后该组将分配正确的 IP 池。

我做了大量研究,发现这似乎很简单,只需将其添加到 radgroupcheck 表中即可。例如:

 id | groupname |   attribute    |   value    | op 
----+-----------+----------------+------------+----
  1 | Group1    | Nas-IP-Address | x.x.x.x    | ==
  4 | Group1    | Pool-Name      | POOL1      | :=

但是在半径 -X 中我甚至没有看到它尝试检查该组。

它似乎检查了 radusergroup 表,但是由于我需要根据位置动态设置用户组,所以里面没有任何内容。

任何帮助,将不胜感激。

谢谢

答案1

我认为你应该能够使用NAS 搜寻组去做你想做的事,

按照示例创建表:

CREATE TABLE radhuntgroup (
    id int(11) unsigned NOT NULL auto_increment,
    groupname varchar(64) NOT NULL default '',
    nasipaddress varchar(15) NOT NULL default '',
    nasportid varchar(15) default NULL,
    PRIMARY KEY  (id),
    KEY nasipaddress (nasipaddress)
) ;

添加您的 NAS 地址:

插入radhuntgroup(组名,nasipaddress) 值 ("Nas_1", "192.168.0.10"); 插入 (radhuntgroup组名,nasipaddress) 值 ("Nas_2", "192.168.1.10");

然后在该authorize {}部分中添加以下代码:

{ Huntgroup-Name := “%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}” }

然后,您可以在表中添加行radgroupcheck来检查其他值(如果需要),或者只是radgroupreply在表中添加可以为它们分配特定池的值。

答案2

NickW 的回答理论上应该可行。然而出于某种原因,使用 radtest 时它有效,但当我通过 AP 进行身份验证时失败了。我使用的是 EAP,所以 wpa2-enterpise 带有签名证书。(我遵循了这个 指导,请注意我使用的是 centos 服务器而不是 ubuntu )

我最终进入了我的站点启用/默认,在后认证部分,我在 sqlippool 之前添加了它。

update control {
                Pool-Name := "%{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'}"
    }

我的表格布局是标准的,我按照 NickW 的建议添加了 radhuntgroup,然后将其与我的 radgroupcheck 表格匹配,就像这样

radhuntgroup:

 id |  groupname   | nasipaddress | nasportid 
----+--------------+--------------+-----------
  1 | South Africa | 10.xx.xx.xx  | 
  2 | Mozambique   | 10.xx.xx.xx  | 

radgroupcheck:

 id |  groupname   | attribute | op |   value    
----+--------------+-----------+----+------------
  4 | South Africa | Pool-Name | := | ZA_IP_POOL
  7 | Mozambique   | Pool-Name | := | MZ_IP_POOL

所以我的 radiusd -X 中的结果如下

# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
sql_xlat
    expand: %{User-Name} -> robert@test
sql_set_user escaped user --> 'robert@test'
    expand: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}' -> select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
    expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
    expand: %{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'} -> ZA_IP_POOL
++[control] returns noop
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool]     expand: %{User-Name} -> robert@test
[sqlippool] sql_set_user escaped user --> 'robert@test'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION
rlm_sql_postgresql: query: START TRANSACTION
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 0
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '%{NAS-IP-Address}'   AND pool_key = '%{NAS-Port}' -> UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '', pool_key = 0, callingstationid = '',   expiry_time = 'now'::timestamp(0) - '1 second'::interval   WHERE nasipaddress = '10.53.0.7'   AND pool_key = ''
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool]     expand: SELECT framedipaddress FROM radippool   WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> '%{SQL-User-Name}'),   (callingstationid <> '%{Calling-Station-Id}'), expiry_time   LIMIT 1   FOR UPDATE -> SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: query: SELECT framedipaddress FROM radippool   WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0)   ORDER BY (username <> 'robert@test'),   (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time   LIMIT 1   FOR UPDATE
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}',   callingstationid = '%{Calling-Station-Id}', username = '%{SQL-User-Name}',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111' -> UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: query: UPDATE radippool   SET nasipaddress = '10.53.0.7', pool_key = '',   callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test',   expiry_time = 'now'::timestamp(0) + '18000 second'::interval   WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool] Allocated IP 10.53.0.111 [6f00350a]
[sqlippool]     expand: COMMIT -> COMMIT

我希望这些信息可以帮助其他正在经历与我同样困难的人。

相关内容