How to allow nas'es to serve only groups of clients?

tnt at kalik.net tnt at kalik.net
Thu Mar 12 13:20:58 CET 2009


>Thank you for help. I try to do as you say and put this to authorize
>section after preprocess:
>
>        preprocess
>
>         # allow  hotspot users only
>         if (SQL-Group != 'Spot') {
>                 reject
>         }
>
>Here debug on this action:
>
>++? if (SQL-Group != 'Spot')
>sql_groupcmp
>         expand: %{User-Name} -> spot2
>sql_set_user escaped user --> 'spot2'
>rlm_sql (sql): Reserving sql socket id: 4
>         expand: SELECT groupname           FROM radusergroup
>WHERE username = '%{SQL-User-Name}'
>    ORDER BY priority -> SELECT groupname           FROM
>radusergroup           WHERE username = 'spot2'
>ORDER BY priority
>sql_groupcmp finished: User is a member of group Spot
>rlm_sql (sql): Released sql socket id: 4
>? Evaluating (SQL-Group != 'Spot') -> TRUE
>++? if (SQL-Group != 'Spot') -> TRUE
>++- entering if (SQL-Group != 'Spot') {...}
>+++[reject] returns reject
>++- if (SQL-Group != 'Spot') returns reject
>
>strange behaviour, user 'spot2' belongs to group 'Spot', but if clause
>return TRUE and reject returned.
>

OK, it looks like it doesn't work in unlang. I don't know if it is
suposed to, but Alan will know. Put this in users file:

DEFAULT   SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name ==
"hotspot")
                 Reply-Message := "Only hotspot users allowed"

You will probably need to add NAS-IP-Address or Huntgroup-Name in order
to tie it to the originating NAS.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list