Hello Alan, again thanks for your time. The goal is simple. When is user connecting to the wireless network he is asked for username/password if there is a match and at the same time he is allowed to use this SSID he is authenticated. username/password check should happen in radcheck table SSID check should happen in radusergroup table
MariaDB [radius]> select * from radgroupreply where groupname =
"SSID_EMPL-Test"; +----+----------------+-----------+----+--------+ | id | groupname | attribute | op | value | +----+----------------+-----------+----+--------+ | 6 | SSID_EMPL-Test | Auth-Type | := | Accept | +----+----------------+-----------+----+--------+ 1 row in set (0.00 sec)
i.e. anyone who logs into the EMPL-Test SSID gets accepted?
You're right - that's not right. In this case even if the username/password would be wrong user would receive Access Accept. I believe that normally there is no need for radgroupreply item because Access Accept/Reject is already set from radcheck. Would it works like this ? Check user in radcheck -> is username/passsword are ok -> Accept otherwise Reject Check user in radgroupcheck -> for allowed SSID there would be group with no reply action -> if no match last group (highest priority) would be Reject which would be always matched. Yes solution proposed by you looks straightforward and would probably work but I have no idea where I should put that condition and I'm afraid that if I'd go this direction it would bring more questions than answers. Thanks for help -- "Martin Bednar"