On Fri, Dec 18, 2015 at 08:55:20PM +0000, Joel Bergmark wrote:
This is what I ran:
update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" } if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) { reject }
rad_recv: Access-Request packet from host 46.23X.XX.170 port 1645, id=118, length=66 User-Name = "bl" ...
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> Noc ++[request] returns notfound ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE
Huntgroup-Name here is "Noc", which is why it didn't match.
?? Skipping (SQL-Group != "2ndline")
...so it short-circuited and didn't even bother checking SQL-Group - there's no point.
++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE
So didn't reject.
I expected to get reject on this login, but thats not happening, so I clearly don't understand all elements in this.
Or even better to allow 3rdline users to login to everything and 2ndline users to login to some equipment.
So your users are in two groups, namely "2ndline" or "3rdline"? In which case you are only interested in the "2ndline" case if "3rdline" can access everything. So you can start with if (SQL-Group == "2ndline") { ... } which will skip the case the SQL-Group is 3rdline (or anything else) in the ... If you've got other groups you might want to make that if (SQL-Group != "3rdline") { instead, to match all users that are *not* in 3rdline. Then once you've established users in 2ndline add extra stuff to reject on certain equipment, e.g. if (Huntgroup-Name != "2ndline") { reject } or if (Huntgroup-Name == "3rdline") { reject } Put together this could be if (SQL-Group == "2ndline") { if (Huntgroup-Name != "2ndline") { reject } } which you can combine to come up with what was before (or similar): if ((SQL-Group == "2ndline") && (Huntgroup-Name != "2ndline")) { reject } But read the debug output - just find the bit where the if() is tested, which will tell you what it's testing and therefore what is or isn't matching. Once you've done that you could for example join it all together into a policy that ends up something like # only allow 2ndline to 2ndline kit if (SQL-Group == "2ndline") { if (Huntgroup-Name != "2ndline") { reject } } # allow 3rdline to only access 3rdline and 2ndline kit elsif (SQL-Group == "3rdline") { if (Huntgroup-Name != "2ndline" && Huntgroup-Name != "3rdline") { reject } } # else user can by default access everything except "restricted" else { if (Huntgroup-Name == "restricted") { reject } } Does that help? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>