Multiple checks items for the same attribute
Fajar A. Nugraha
fajar at fajar.net
Tue Feb 16 11:50:31 CET 2010
On Tue, Feb 16, 2010 at 5:24 PM, Sicly undecided
<siclyundecided at gmail.com> wrote:
> I want to be able to check multiple values for the same check
> attribute (nas ipaddress || nas port). I have tried the ":=, +=" way,
> but i'm guessing, since it didn't work that this only works for reply
> attributes.
>
> If anyone can point me in a general direction it would most appreciated.
So you're saying you want access allowed if one of the multiple check
attribute matches?
There's no quick-and-standard way that I know of to achieve that.
You'll probably be able to hack sql module with custom queries and
schema. For example, I had a requirement where a username will be
allowed access :
- from any Calling-Station-Id (for certain users), OR
- from a list of Calling-Station-Ids, where they comprimise of numbers
only (phone numbers, to be exact) for most users.
Plus I need to enable/disable a user easily, and limit user vailidity
only up to a certain time.
The authorize query became this complicated beast:
authorize_check_query = "SELECT
`id`,`UserName`,`Attribute`,`Value`,`op` FROM `${authcheck_table}`
WHERE `UserName` IN ( SELECT `UserName` FROM `${authrestrict_table}`
WHERE `Username` = '%{SQL-User-Name}' AND `Status`='enable' AND
`EXPIRE` > now() ) AND `UserName` IN ( SELECT `UserName` FROM
`${authclinumber_table}` WHERE `Username` = '%{SQL-User-Name}' AND
`clinumber` IN ('ANY', convert('%{Calling-Station-Id}', SIGNED)) )"
The ${authclinumber_table} that I use to list Calling-Station-Ids goes like this
+-----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+----------------+
| id | int(20) unsigned | NO | PRI | NULL | auto_increment |
| UserName | varchar(64) | NO | MUL | | |
| clinumber | varchar(16) | NO | MUL | ANY | |
+-----------+------------------+------+-----+---------+----------------+
where there can be many UserName-clinumber pairs for each user and
phone number combination, and a clinumber of "ANY" if I want to allow
access from any phone number.
While ${authrestrict_table} that I use to control user vailidity goes like this
+----------+-----------------------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default
| Extra |
+----------+-----------------------------------+------+-----+---------------------+----------------+
| id | int(20) unsigned | NO | PRI | NULL
| auto_increment |
| UserName | varchar(64) | NO | UNI |
| |
| Status | enum('enable','disable') | NO | | enable
| |
| Expire | datetime | NO | |
0000-00-00 00:00:00 | |
+----------+-----------------------------------+------+-----+---------------------+----------------+
As you can see it becomes complicated, and again I say this is a hack
(which requires some knowledge of nested SQL query), but should give
you a basic idea of what you need to do.
You could probably also use unlang and sql expansion, but I haven't
had time to look into it for this purpose.
--
Fajar
More information about the Freeradius-Users
mailing list