Huntgroups issue - every user is accepted

Hanno Schupp hanno.schupp at
Mon Jan 19 13:04:54 CET 2009

-----Original Message-----
From: Alan DeKok [mailto:aland at] 
Sent: Monday, 19 January 2009 10:29 p.m.
To: FreeRadius users mailing list
Subject: Re: Huntgroups issue - every user is accepted

Hanno Schupp wrote:
> > I am trying to implement huntgroups via MySQL according to
> > On difference is the
> > assignment of huntgroups not according to NAS-IP, but to
> > Called-Station-Id. The goal is to suppress roaming between hotspot
> > routers, between groups of hotspots.
> >
> > For that purpose I have inserted the code
> > In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in
> > the HOWTO.

>   You also seen to be over-riding that in the SQL tables:

> > `radgroupcheck` 
> > `id`, `GroupName`, `Attribute`, `op`, `Value` 
> > 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'

>   This sets the Huntgroup-Name to "Test".

You are right, I checked the tutorial again, and the suggested operator in there is indeed ==

So now the entry reads:
`id`, `GroupName`, `Attribute`, `op`, `Value` 
1, 'TestGroup', 'Huntgroup-Name', '==', 'Test'

Unfortunately it does not make any difference.

> > One would expect the user to be rejected if the user tries to log in to
> > the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the
> > user is authenticated and not rejected.

>   You did not configure the server to reject the user if he logs in with
> that Called-Station-Id.  You configured the server to put him in a
> huntgroup if he logs in with that Called-Station-Id.

>   Did you configure the server to reject users in the "Test-Rejec"
> huntgroup?  It looks like you didn't.

I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. I am sorry if I have left out any other configuration, but again, according to the howto in the freeradius wiki, what I have configured is all that is necessary. Or are you saying the instructions on are incorrect?

> > One thing I don’t get is, why is the rlm_sql_mysql module finding the
> > Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not
> > found?

>   There are explanations for that...

Great. Can you please point out where, as neither rlm_sql not /etc/freeradius/sql/mysql/dialup.conf says anything about returned status.

> > The user is found in radgroupchek for the correct usergroup
> > ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do
> > not match, the user should be rejected, but the user is accepted.

>   No.  If the values in radgroupcheck do not match.... it means they do
not match.

As per above, the howto on the freeradius wiki suggests something very different. If it is incorrect, that how to should be pulled.

>   You have *other* configurations that let the server authenticate the
> request.  You did *not* configure the server to reject the request if
> it's in the "Test-Rejec" huntgroup.

Sure I do, but the wiki documentation suggests that the request would be rejected by the system on reading the radgroupcheck table and realising it has a different huntgroup table than the assigned to the NAS.

So let me ask another way, if the documentation is indeed incorrect, how do I reject a request, where Huntgroup of user and NAS do not match?

More information about the Freeradius-Users mailing list