Freeradius3 + SQL -> radusergroup check is not matched

Alan DeKok aland at deployingradius.com
Mon May 15 16:30:41 CEST 2017 

On May 15, 2017, at 10:17 AM, Martin Bednar <mato.bednar at gmail.com> wrote:
> many thanks for help. To be honest I believe that for me it would be
> easier to make it work with tables and queries already in place so if
> you don't mind I'd just like to doublecheck what am I not
> understanding well from the rlm_sql documentation.

  The default schemas / queries should work... if they're used correctly.

> The user IS found in radcheck, the check items DO match AND the
> read_groups directive is set to 'yes'
> 
> I'm matching last condition:
> 
> # grep read_clients /etc/raddb/mods-available/sql
>        read_clients = yes

  Details matter.  "read_clients" is not "read_groups".

> So group SSID_EMPL-Test is the one which will be checked first :
> 
> MariaDB [radius]> select * from radgroupcheck where groupname =
> "SSID_EMPL-Test";
> +----+----------------+------------------+----+-----------+
> | id | groupname      | attribute        | op | value     |
> +----+----------------+------------------+----+-----------+
> |  6 | SSID_EMPL-Test | Aruba-Essid-Name | == | EMPL-Test |
> +----+----------------+------------------+----+-----------+

  That just says people are in the SSID_EMPL-Test group when they're logging into the EMPL-Test SSID.

  i.e. it does NO checking that a *user* is in a group.

> --> If there is a match, the reply items for this group are pulled
> from the radgroupreply table and applied.
> 
> MariaDB [radius]> select * from radgroupreply where groupname =
> "SSID_EMPL-Test";
> +----+----------------+-----------+----+--------+
> | id | groupname      | attribute | op | value  |
> +----+----------------+-----------+----+--------+
> |  6 | SSID_EMPL-Test | Auth-Type | :=  | Accept |
> +----+----------------+-----------+----+--------+
> 1 row in set (0.00 sec)

  i.e. anyone who logs into the  EMPL-Test SSID gets accepted?

  Is that what you want?


  You've created a particular solution, and you want to fix the solution to solve the problem you have.   But, you haven't written down the problem.

  Again, you need to write down what you want to happen.  Use simple English.  Then, see how the SQL module can be used to get what you want.

  I suggest a simple solution which I think solves the problem (even tho the problem is largely unstated).

  Would my solution work?

  Alan DeKok.

More information about the Freeradius-Users mailing list