Page 1 of 1
[solved] freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 8:15 pm
by luqasz
hi
i have installed freeradius and set up mikrotik to use accounts in radius to login via telnet ssh. default group is read. i can not find any info how to set up radius to assign some users to group full. i am using freeradius + postgres backend.
have any 1 tried it ?
radreply table (i have tried changing Mikrotik-Group to Group and operator to = and == with no effect)
id | username | attribute | op | value
----+----------+----------------+----+-------
2 | kostek | Mikrotik-Group | := | 1
from dictionary.mikrotik (shipped with freeradius)
# this attribute is unused
ATTRIBUTE Mikrotik-Group 3 string
radusergroup table
username | groupname | priority
----------+-----------+----------
kostek | full | 1
please help.
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 8:44 pm
by SurferTim
I checked with User Manager.
In Users/Edit, in the "Group" entry:
full
write
read
In FreeRADIUS radreply table:
UserName "user"
Attribute "Mikrotik-Group"
op "="
Value "full/write/read"
Use only one of those in the Value tho.
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 8:52 pm
by luqasz
thx for info but:
- freeradius says that Mikrotik-Group is no longer used (confusing)
- in witch table should i input this value (radreply, radgroupcheck, radgroupreply) and how it should look like (operator)?
maybe you could post me some debug infor from mikrotik user manager and mikrotik device that speaks with user manager. maybe then i would figure out something
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 8:55 pm
by SurferTim
AH HA!! I knew there was something up with the User Manager response! Try
Attribute "MT-Group"
What RouterOS version are you using?
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 8:59 pm
by blake
The 'radusergroup' table is only used inside FreeRADIUS for assigning RADIUS users to 'RADIUS groups', and then returning a set of replies to said group. ie:
radcheck
id | username | attribute | op | value
----+-------------------+---------------+----+-------------------
67 | 00:15:6D:33:0B:48 | User-Password | == | 00:15:6D:33:0B:48
radusergroup
username | groupname | priority
-------------------+-------------------+----------
00:15:6D:33:0B:48 | mikrotik-wireless | 0
radgroupreply
id | groupname | attribute | op | value
----+-------------------+------------------------------+----+-------
1 | mikrotik-wireless | Mikrotik-Wireless-Forward | := | 0
2 | mikrotik-wireless | Mikrotik-Wireless-Skip-Dot1x | := | 1
For your issue, you need this in 'radreply'.
id | username | attribute | op | value
----+-------------------+---------------------+----+-------------------
65 | test | Mikrotik-Group | = | full
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 9:05 pm
by luqasz
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ukasz' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ukasz' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "full" for attribute name "Mikrotik-Group"
rlm_sql (sql): Error getting data from database
i have also tried with MT-Group and same error
do i need to have anything in radusergroup table ?
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 9:06 pm
by blake
I used the above config with ROS 4.x. Haven't tried it with 5.x. Is that what you are using?
do i need to have anything in radusergroup table ?
You don't
need anything. It's optional based on your return params.
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 9:18 pm
by luqasz
# NAME VERSION SCHEDULED
0 system 4.10
1 dhcp 4.10
2 hotspot 4.10
3 calea 4.10
4 gps 4.10
5 advanced-tools 4.10
6 mpls 4.10
7 ipv6 4.10
8 multicast 4.10
9 routerboard 4.10
10 ups 4.10
11 security 4.10
12 ntp 4.10
13 user-manager 4.10
14 routing 4.10
15 ppp 4.10
16 wireless 4.10
ii freeradius 2.1.10+dfsg-2 a high-performance and highly configurable RADIUS server
ii freeradius-common 2.1.10+dfsg-2 FreeRADIUS common files
ii freeradius-mysql 2.1.10+dfsg-2 MySQL module for FreeRADIUS server
ii freeradius-utils 2.1.10+dfsg-2 FreeRADIUS client utilities
ii libfreeradius2 2.1.10+dfsg-2 FreeRADIUS shared library
ii libradius1 0.3.2-13 /bin/login replacement with RADIUS. Shared lib to used by programs
ii radiusclient1 0.3.2-13 /bin/login replacement which uses the RADIUS protocol for authentication
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 9:24 pm
by SurferTim
Here is mine with user 'test'.
mysql> insert into radreply (username,attribute,op,value) values ('test','Mikrotik-Group','=','read');
Query OK, 1 row affected (0.00 sec)
mysql>
Re: freeradius + aaa + assign users to groups
Posted: Tue May 17, 2011 9:32 pm
by luqasz
OMG it is so SICK. i have found that in debian not all dictionaries are included in directory /usr/share/freeradius/dictionary file (witch holds $INCLUDE lines per vendor dictionary)
i was missing $INCLUDE dictionary.mikrotik line
any way thx for your quick response. much apicieated.
