How to allow nas'es to serve only groups of clients?

Alexander Solodukhin alt at softwarium.net
Thu Mar 12 13:40:23 CET 2009


On Thu, 12 Mar 2009 14:30:07 +0200, Alan DeKok <aland at deployingradius.com>  
wrote:

> Alexander Solodukhin wrote:
>> Thank you for help. I try to do as you say and put this to authorize
>> section after preprocess:
>>
>>        preprocess
>>
>>         # allow  hotspot users only
>>         if (SQL-Group != 'Spot') {
>
>   That won't work... the SQL-Group attribute is a "callback" attribute.
>   i.e. Using it results in a call to the SQL module, which then does the
> comparison itself.
>
>   And... it ignores the operator '!='.  The operator is always '=='.
> This is because the SQL-Group functionality goes way back to version
> 0.2, and isn't integrated with the newer "unlang" feature.
>
>   You could send a patch to integrate it with unlang, or do:
>
> 	if (! (SQL-Group == 'Spot')) {
> 		reject
> 	}
>
>   That should work.  It lets the SQL-Group code use '==', and then uses
> the newer expression parser to do the "NOT in the group" checking.

No luck, Alan. Here the code:

         # allow  hotspot users only
         if (!(SQL-Group == 'Spot')) {
                 reject
         }

And debug output:

++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
         expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
         expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
    ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
?? Evaluating (SQL-Group == 'Spot') -> TRUE
? Converting !TRUE -> FALSE
++? if (!(SQL-Group == 'Spot')) -> FALSE

Seems it works for 'spot2' account, but:

++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
         expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 1
         expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
    ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
sql_groupcmp finished: User is NOT a member of group Spot
++[chap] returns noop
++[mschap] returns noop

not work for test2 account.



-- 
ISP CrIS, Softwarium



More information about the Freeradius-Users mailing list