我想知道是否有人可以帮助我。
目标是根据用户所连接的 AP 为不同的用户分配不同的 IP 地址。我无法静态地设置它,因为用户会移动并最终通过不同的 AP 进行连接。
所以我想检查一下我是否可以匹配 nas ip,然后将该用户分配给一个组,然后该组将分配正确的 IP 池。
我做了大量研究,发现这似乎很简单,只需将其添加到 radgroupcheck 表中即可。例如:
id | groupname | attribute | value | op
----+-----------+----------------+------------+----
1 | Group1 | Nas-IP-Address | x.x.x.x | ==
4 | Group1 | Pool-Name | POOL1 | :=
但是在半径 -X 中我甚至没有看到它尝试检查该组。
它似乎检查了 radusergroup 表,但是由于我需要根据位置动态设置用户组,所以里面没有任何内容。
任何帮助,将不胜感激。
谢谢
抢
答案1
我认为你应该能够使用NAS 搜寻组去做你想做的事,
按照示例创建表:
CREATE TABLE radhuntgroup (
id int(11) unsigned NOT NULL auto_increment,
groupname varchar(64) NOT NULL default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
PRIMARY KEY (id),
KEY nasipaddress (nasipaddress)
) ;
添加您的 NAS 地址:
插入
radhuntgroup
(组名,nasipaddress) 值 ("Nas_1", "192.168.0.10"); 插入 (radhuntgroup
组名,nasipaddress) 值 ("Nas_2", "192.168.1.10");
然后在该authorize {}
部分中添加以下代码:
{ Huntgroup-Name := “%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}” }
然后,您可以在表中添加行radgroupcheck
来检查其他值(如果需要),或者只是radgroupreply
在表中添加可以为它们分配特定池的值。
答案2
NickW 的回答理论上应该可行。然而出于某种原因,使用 radtest 时它有效,但当我通过 AP 进行身份验证时失败了。我使用的是 EAP,所以 wpa2-enterpise 带有签名证书。(我遵循了这个 指导,请注意我使用的是 centos 服务器而不是 ubuntu )
我最终进入了我的站点启用/默认,在后认证部分,我在 sqlippool 之前添加了它。
update control {
Pool-Name := "%{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'}"
}
我的表格布局是标准的,我按照 NickW 的建议添加了 radhuntgroup,然后将其与我的 radgroupcheck 表格匹配,就像这样
radhuntgroup:
id | groupname | nasipaddress | nasportid
----+--------------+--------------+-----------
1 | South Africa | 10.xx.xx.xx |
2 | Mozambique | 10.xx.xx.xx |
radgroupcheck:
id | groupname | attribute | op | value
----+--------------+-----------+----+------------
4 | South Africa | Pool-Name | := | ZA_IP_POOL
7 | Mozambique | Pool-Name | := | MZ_IP_POOL
所以我的 radiusd -X 中的结果如下
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
sql_xlat
expand: %{User-Name} -> robert@test
sql_set_user escaped user --> 'robert@test'
expand: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}' -> select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='10.53.0.7'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
expand: %{sql:select value from radgroupcheck left join radhuntgroup on (radhuntgroup.groupname=radgroupcheck.groupname) where radhuntgroup.nasipaddress ='%{NAS-IP-Address}'} -> ZA_IP_POOL
++[control] returns noop
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool] expand: %{User-Name} -> robert@test
[sqlippool] sql_set_user escaped user --> 'robert@test'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
rlm_sql_postgresql: query: START TRANSACTION
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 0
[sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' -> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '10.53.0.7' AND pool_key = ''
rlm_sql_postgresql: query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '10.53.0.7' AND pool_key = ''
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < 'now'::timestamp(0) ORDER BY (username <> '%{SQL-User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM radippool WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0) ORDER BY (username <> 'robert@test'), (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time LIMIT 1 FOR UPDATE
rlm_sql_postgresql: query: SELECT framedipaddress FROM radippool WHERE pool_name = 'ZA_IP_POOL' AND expiry_time < 'now'::timestamp(0) ORDER BY (username <> 'robert@test'), (callingstationid <> '38-AA-3C-5E-7E-40'), expiry_time LIMIT 1 FOR UPDATE
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sqlippool] expand: UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{SQL-User-Name}', expiry_time = 'now'::timestamp(0) + '18000 second'::interval WHERE framedipaddress = '10.53.0.111' -> UPDATE radippool SET nasipaddress = '10.53.0.7', pool_key = '', callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test', expiry_time = 'now'::timestamp(0) + '18000 second'::interval WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: query: UPDATE radippool SET nasipaddress = '10.53.0.7', pool_key = '', callingstationid = '38-AA-3C-5E-7E-40', username = 'robert@test', expiry_time = 'now'::timestamp(0) + '18000 second'::interval WHERE framedipaddress = '10.53.0.111'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
[sqlippool] Allocated IP 10.53.0.111 [6f00350a]
[sqlippool] expand: COMMIT -> COMMIT
我希望这些信息可以帮助其他正在经历与我同样困难的人。