Thank you for the help! Indeed this looks more simplistic and nice! :) Everything is in the SQL, necessary since using daloradius as frontend. Just a follow up on: if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) { reject } How to determine the 'SQL-Group' in a simple way? Tried it as is to see how it behaved, and got: +- entering group authorize {...} sql_xlat expand: %{User-Name} -> bl sql_set_user escaped user --> 'bl' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> 3rdline ++[request] returns notfound ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE ?? Skipping (SQL-Group != "2ndline") ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE ++[chap] returns noop Best regards, Joel -----Ursprungligt meddelande----- Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se@lists.freeradius.org] För Alan DeKok Skickat: den 18 december 2015 17:38 Till: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Ämne: Re: Make sense of SQL Huntgroup HOWTO? On Dec 18, 2015, at 11:30 AM, Joel Bergmark <joel.bergmark@t3.se> wrote:
What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.
Then write that down. It's pretty much that simple. if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) { reject } This assumes that the NAS groups are in Huntrgroup, and the user groups are in SQL.
Assuming a user in 2ndline group trying to login to a NAS defined in huntgroup to be 3rdline update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" { }
Formatting matters. update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" } Extra braces are a problem.
if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query) reject }
Nope. Just use my example from above. It's simpler. That is, it assumes that the user groups are in SQL, too.
Sorry if this is something not supposed to be dealt with on this mailing list,
It is exactly what's supposed to be discussed here.
but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.
That would be nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html