what would cause sql to return reject response?

[Alan DeKok]

On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> basically i have developed a full web gui for mikrotik routers and
> freeradius to work as a hotspot where the web gui talks to the sql db
> directly and the user can create plans which would be the radius groups
> and associated check and reply attributes.

  Ok...

> I have created a disable
> client account option which deactivates the account and what i saw in
> daloradius was it used to create a disabled group with priority 0 and
> sets the Auth-Type attribute to Reject, i know the docs mention not the
> set the auth-type directly but i dont see a way to do it directly in FR

  That should work.  If it doesn't, read the debug output as suggest in the "man" page, web pages, and the message you get when joining this list.

  No amount of randomly changing things will fix it.  You need to understand what it's doing.

> so i followed the same method and the reason i was assuming the sql
> module would reject seeing the auth-type to reject using the reject
> response but later noticed it would never respond with reject. I
> searched all docs and the book but no place it mentions under what cases
> sql module would respond with reject and i wanted to sql module to
> reject

  It doesn't.  You want the group to match.

> so i can reply with "account disabled" and not have the rest of
> the authorize section to execute coz later down the section i have a
> call to a php script and im trying to reduce calls to it unless the
> account is enabled and id/pass match 

  If you want to skip parts of the "authorize" section, you will need to check for that and write the policy.  Something like:


authorize {
	...
	sql
	if (SQL-Group == "disabled") {
		reject
	}
	...
}

  Alan DeKok.