<html><body><div>Hi Phil, thanks for the reply and help. Have been in a pickle with this for an age.</div><div><br></div><div>Could you confirm that the query at the bottom should go in the sites-available/default file in the auth section?</div><div><br></div><div>Huntgroups work with radcheck but understand I need a separate attr now (at last)!</div><div><br></div><div><br></div><div><br></div><div><br><br>On Jul 26, 2012, at 10:07 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch">On 07/26/2012 09:51 AM, Jenny Blunt wrote:<br> > I'm looking for some help with the implementation of huntgroups.<br> ><br> > Am using mysql and have followed the following topic through:<br> ><br> ><br> > <a href="http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html" data-mce-href="http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html">http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html</a><br> ><br> > In sites-available/default I have this, (just after preprocess:<br> ><br> > update request {<br> > Huntgroup-Name := "%{sql:SELECT `groupname` FROM<br> > `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"<br> > }<br> <br> Don't do this.<br> <br> Read the 2nd email in the thread you linked to.<br> <br> Huntgroup-Name is a special attribute; comparisons are executed <br> dynamically. You can't just use it like an ordinary string attribute.<br> <br> Define another attribute in raddb/dictionary:<br> <br> ATTRIBUTE SQL-Location 3010 string<br> <br> ...and use that.<br> <br> > authorize_group_check_query = "SELECT id, groupname, attribute_name, \<br> > Value, op \<br> > FROM ${groupcheck_table} \<br> > WHERE ( groupname = '%{Sql-Group}' OR groupname =<br> > '%{Huntgroup-Name}' ) \<br> > ORDER BY id"<br> ><br> > (Which doesn't make logical sense to me)<br> <br> It doesn't make sense to me either. So why do it?<br> <br> ><br> > What I'm failing to get my head around is how to reject or allow access<br> > based on the location their dialing in from?<br> ><br> > For example, a user from IP 1.x.x.x should be allowed access at location<br> > 1 only.<br> <br> I don't know what this means.<br> <br> Write down the policy you want in plain english. Figure out what sources <br> of data you need to execute that policy. Read those sources of data into <br> attributes. Write a policy to check them.<br> <br> For example:<br> <br> authorize {<br> update request {<br> SQL-Location = "%{sql:select location from ...}"<br> }<br> if (NAS-IP-Address =~ /^1\./) {<br> if (SQL-Location != "Location 1") {<br> reject<br> }<br> }<br> }<br> -<br> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" data-mce-href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></div></div></blockquote></div></body></html>