On 02/23/2016 03:36 PM, Alan DeKok wrote:
On Feb 23, 2016, at 3:32 PM, J Kephart <jkephart@safetynetaccess.com> wrote:
OK, so we're finally at the point at which we're attempting to integrate this into our configuration. The intent, per Alan's guidance, is to insert the following statements at the top of the authorize section:
User-Group-Name needs to be in an "update" section. See "man unlang".
update request { User-Group-Name = "%{sql: ... }
That can be simplified to:
if (&User-Group-Name != "") {
You can't just put SQL statements into a block. You need an "update" section. See again "man unlang". e.g.:
update request { Tmp-String-0 := "%{sql:UPDATE ...}" }
You'll have to ensure that the RADIUS server is allowed to edit the radusergroup table. IIRC, the default permissions don't allow this.
Alan DeKok. List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As ever, thanks, Alan. Somehow, I knew that I'd missed something in the sql update bit. My confusion comes from the final "else" statement; I would think that it belongs inside the update section as well. Would it be "safe" to encapsulate the queries in a single update section, as below? if ("%{Called-Station-Id}" =~ "^<some-mac-prefix>") { update request { User-Group-Name = "%{sql: SELECT group_name from <table_name> where \ site_id='%{NAS-Identifier}' and mac_address='%{Calling-Station-Id}' \ and vlan_id='%{NAS-Port-Id}'}" if (&User-Group-Name != "" { Tmp-String-0 := "%{sql: update radusergroup set \ groupname='%{User-Group-Name}' \ where username='%{Calling-Station-Id}'}"; } else { reject } } } Cheers, Jim