Thank you for help. I try to do as you say and put this to authorize section after preprocess:
preprocess
# allow hotspot users only if (SQL-Group != 'Spot') { reject }
Here debug on this action:
++? if (SQL-Group != 'Spot') sql_groupcmp expand: %{User-Name} -> spot2 sql_set_user escaped user --> 'spot2' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'spot2' ORDER BY priority sql_groupcmp finished: User is a member of group Spot rlm_sql (sql): Released sql socket id: 4 ? Evaluating (SQL-Group != 'Spot') -> TRUE ++? if (SQL-Group != 'Spot') -> TRUE ++- entering if (SQL-Group != 'Spot') {...} +++[reject] returns reject ++- if (SQL-Group != 'Spot') returns reject
strange behaviour, user 'spot2' belongs to group 'Spot', but if clause return TRUE and reject returned.
OK, it looks like it doesn't work in unlang. I don't know if it is suposed to, but Alan will know. Put this in users file: DEFAULT SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name == "hotspot") Reply-Message := "Only hotspot users allowed" You will probably need to add NAS-IP-Address or Huntgroup-Name in order to tie it to the originating NAS. Ivan Kalik Kalik Informatika ISP