I’m trying to work out (in 2.0.0) how to achieve “matching
group specific per user reply attributes” using rlm_sql, based on which
group(s) matched the authentication request.
So, for instance, a user might belong to both DIALUP and
WIRELESS groups. But I only want the per-user reply attributes relevant
to the access request being processed, for instance Mikrotik-Rate-Limit only
gets set if the request matched WIRELESS (via a huntgroup match).
As far as I can tell, this would require some surgery to
rlm_sql, and an additional (optional) CheckGroup column in the ‘radreply’
table:
UserName,Attribute,op,Value,CheckGroup
radiustest,Mikrotik-Rate-Limit,=,512k/512k,WIRELESS
radiustest,Some-Dialup-Attribute,=,foo,DIALUP
radiustest,Some-Common-Attribute,=,bar,
So the authorize_reply_query could then be something like:
authorize_reply_query = "\
SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
AND (CheckGroup = ‘’ OR CheckGroup IN(%{control:Matched-Groups}))
ORDER BY id"
Then if the request came from a NAS which has a matching
check attribute for the WIRELESS group, only ‘radreply’ items with
CheckGroup of WIRELESS (and those with no CheckGroup) would be returned.
So in this case, Mikrotik-Rate-Limit and Some-Common-Attribute.
Obviously the surgery to rlm_sql would be in building %{control:Matched-Groups},
which would mean shuffling some code around, as currently the groups aren’t
looked at till after the per-user reply attributes are processed.
Or is there some other way of doing this I’m spacing
on?
-- hugh