Freeradius3 + SQL -> radusergroup check is not matched

Martin Bednar mato.bednar at
Mon May 15 16:17:01 CEST 2017

Hello Allan,

many thanks for help. To be honest I believe that for me it would be
easier to make it work with tables and queries already in place so if
you don't mind I'd just like to doublecheck what am I not
understanding well from the rlm_sql documentation.

-->Search the radcheck table for any check attributes specific to the user
-->If check attributes are found, and there's a match, pull the reply
items from the radreply table for this user and add them to the reply

 In my case it is password

MariaDB [radius]> select * from radcheck where username = "miro";
| id | username | attribute          | op | value |
|  7 | miro     | Cleartext-Password | := | miro  |

nothing is in radreply table

MariaDB [radius]> select * from radreply;
Empty set (0.00 sec)

 --> Group processing then begins if any of the following conditions are met:

The user IS NOT found in radcheck
The user IS found in radcheck, but the check items don't match
The user IS found in radcheck, the check items DO match AND
Fall-Through is set in the radreply table
The user IS found in radcheck, the check items DO match AND the
read_groups directive is set to 'yes'

I'm matching last condition:

# grep read_clients /etc/raddb/mods-available/sql
        read_clients = yes

--> If groups are to be processed for this user, the first thing that
is done is the list of groups this user is a member of is pulled from
the usergroup table ordered by the priority field.

 MariaDB [radius]> select * from radusergroup where username = "miro"
order by priority;
| username | groupname      | priority |
| miro     | SSID_EMPL-Test |        1 |
| miro     | Reject-Profile |        2 |
2 rows in set (0.00 sec)

So group SSID_EMPL-Test is the one which will be checked first :

MariaDB [radius]> select * from radgroupcheck where groupname =
| id | groupname      | attribute        | op | value     |
|  6 | SSID_EMPL-Test | Aruba-Essid-Name | == | EMPL-Test |
1 row in set (0.00 sec)

--> If there is a match, the reply items for this group are pulled
from the radgroupreply table and applied.

MariaDB [radius]> select * from radgroupreply where groupname =
| id | groupname      | attribute | op | value  |
|  6 | SSID_EMPL-Test | Auth-Type | :=  | Accept |
1 row in set (0.00 sec)

--> Processing continues to the next group IF:
 There was not a match for the last group's check items

so my understanding is that check won't continue and user will get
Accept. Clearly I'm missing something but I don't know what. You're
saying that

" 6 | SSID_EMPL-Test     | Aruba-Essid-Name  | == | EMPL-Test
Which says that anyone in the SSID_EMPL-Test is rejected if they use
the EMPL-Test  SSID."

If you could show me here right directions I'd really appreciate that.
How should I check if Aruba-Essid-Name has value EMPL-Test and if so
Accept the user ?

Thanks for your time,


More information about the Freeradius-Users mailing list