On Feb 18, 2016, at 10:03 AM, Sylvain Munaut <s.munaut@whatever-company.com> wrote:
I have one group defined per service (so one per wifi SSID, one for VPN, ...) that make sure that the correct returns attributes are in the response.
That's good.
What I'd like is that if either : - The user doesn't exist at all in the DB - Or the user exists but it didn't match any groups (because the user doesn't have access to the particular service he's trying to use).
Then access should be denied.
What's the recommended way to achieve that result ?
Create an SQL table with 2 columns, user and SSID. Then, write a SELECT statement which looks up user and SSID. If it returns anything, the user is allowed to use that SSID. If it returns nothing, the user isn't allowed to use that SSID. if (! "%{sql:SELECT user FROM my_table WHERE user=%{User-Name} AND SSID=%{Called-Station-ID}}") { reject } # else it's OK You'll have to double-check the SQL select statement, of course. But that's the general idea. Alan DeKok.