Hello I use freeradius 3.0.9 and I want to define multiple huntgroups for the same NAS-IP-ADDRESS into the huntgroup file. I 'm using mysql and have followed the following topic http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html In sites-available/myconfig I have this ( just after preprocess ) # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess ####### Ajout fonction check Nas ip address update request { Huntgroup-Name := "%{sqldbvradius1-a:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } if (Huntgroup-Name =~ /^$/) { # empty string; try 2nd sql update request { Huntgroup-Name := "%{sqldbvradius1-b:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } } ############################## In my radgroupcheck Mysql table select * from radgroupcheck; +----+--------------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+--------------+----------------+----+-------------+ | 1 | AdminRI | Auth-Type | := | LDAPARKEA | | 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP | | 3 | AdminRI_RSA | Auth-Type | := | PAMRSA | | 4 | AdminRI | Huntgroup-Name | =~ | Pool1|Pool2 | | 5 | AdminRI_MOTP | Huntgroup-Name | =~ | Pool3|Pool2 | | 6 | AdminRI_RSA | Huntgroup-Name | =~ | Pool3|Pool2 | +----+--------------+----------------+----+-------------+ 6 rows in set (0.00 sec) In my radhuntgroup Mysql table select * from radhuntgroup ; +----+----------+-------+---------------+----------------+-----------+ | id | Location | Zone | huntgroupname | nasipaddress | nasportid | +----+----------+-------+---------------+----------------+-----------+ | 1 | rennes | verte | Pool1 | 10.154.253.1 | | | 2 | rennes | verte | Pool1 | 10.154.253.2 | | | 3 | rennes | verte | Pool1 | 10.154.253.3 | | | 4 | rennes | verte | Pool2 | 10.154.253.236 | | | 5 | rennes | verte | Pool3 | 10.154.253.4 | | +----+----------+-------+---------------+----------------+-----------+ 5 rows in set (0.00 sec) An extract of my radusergroup mysql table select * from radusergroup; +------------+--------------+----------+ | username | groupname | priority | +------------+--------------+----------+ | a0327 | AdminRI | 1 | | a0327_motp | AdminRI_MOTP | 1 | | a0327_rsa | AdminRI_RSA | 1 | +------------+--------------+----------+ 36 rows in set (0.00 sec) My debug log Ready to process requests (1) Received Access-Request Id 125 from 10.241.33.1:39902 to 10.239.131.11:1812 length 102 (1) User-Name = "a0327_rsa" (1) User-Password = "XXXXXXXX" (1) NAS-Port = 2 (1) NAS-Port-Id = "tty2" (1) NAS-Port-Type = Virtual (1) NAS-IP-Address = 10.154.253.236 (1) Event-Timestamp = "Oct 9 2015 17:15:43 CEST" (1) Message-Authenticator = 0xea12faeecab79952f4c77f43f464894e (1) Proxy-State = 0x313936 (1) # Executing section authorize from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/myconfig (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) update request { (1) EXPAND %{User-Name} (1) --> a0327_rsa (1) SQL-User-Name set to 'a0327_rsa' rlm_sql (sqldbvradius1-a): Reserved connection (4) (1) Executing select query: SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='10.154.253.236' rlm_sql (sqldbvradius1-a): Released connection (4) rlm_sql (sqldbvradius1-a): 0 of 7 connections in use. Need more spares rlm_sql (sqldbvradius1-a): Opening additional connection (7), 1 of 25 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'dbvradius1' on radiustux1-a.l.infra.arkea.com via TCP/IP, server version 5.6.24-enterprise-commercial-advanced-log, protocol version 10 (1) EXPAND %{sqldbvradius1-a:SELECT `huntgroupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} (1) --> Pool2 (1) Huntgroup-Name := Pool2 (1) } # update request = noop (1) if (Huntgroup-Name =~ /^$/) { (1) if (Huntgroup-Name =~ /^$/) -> FALSE (1) underscore: Checking for suffix after "_" (1) underscore: Looking up realm "rsa" for User-Name = "a0327_rsa" (1) underscore: Found realm "rsa" (1) underscore: Adding Stripped-User-Name = "a0327" (1) underscore: Adding Realm = "rsa" (1) underscore: Authentication realm is LOCAL (1) [underscore] = ok (1) arobase: Request already has destination realm set. Ignoring (1) [arobase] = noop (1) [files] = noop (1) group { (1) sqldbvradius1-a: EXPAND %{User-Name} (1) sqldbvradius1-a: --> a0327_rsa (1) sqldbvradius1-a: SQL-User-Name set to 'a0327_rsa' rlm_sql (sqldbvradius1-a): Reserved connection (0) (1) sqldbvradius1-a: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sqldbvradius1-a: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'a0327_rsa' ORDER BY id (1) sqldbvradius1-a: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'a0327_rsa' ORDER BY id (1) sqldbvradius1-a: User found in radcheck table (1) sqldbvradius1-a: Conditional check items matched, merging assignment check items (1) sqldbvradius1-a: Expiration := "Dec 30 2035 00:00:00 CET" (1) sqldbvradius1-a: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sqldbvradius1-a: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'a0327_rsa' ORDER BY id (1) sqldbvradius1-a: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'a0327_rsa' ORDER BY id (1) sqldbvradius1-a: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sqldbvradius1-a: --> SELECT groupname FROM radusergroup WHERE username = 'a0327_rsa' ORDER BY priority (1) sqldbvradius1-a: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'a0327_rsa' ORDER BY priority (1) sqldbvradius1-a: User found in the group table (1) sqldbvradius1-a: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sqldbvradius1-a-SQL-Group}' ORDER BY id (1) sqldbvradius1-a: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'AdminRI_RSA' ORDER BY id (1) sqldbvradius1-a: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'AdminRI_RSA' ORDER BY id rlm_sql (sqldbvradius1-a): Released connection (0) (1) [sqldbvradius1-a] = ok (1) } # group = ok (1) expiration: Account will expire at 'Dec 30 2035 00:00:00 CET' (1) [expiration] = ok (1) [logintime] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [a0327_rsa] (from client proxyradiustux1-a port 2) (1) Using Post-Auth-Type Reject (1) # Executing group from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/vradius1-a (1) Post-Auth-Type REJECT { (1) redundant (null) { (1) sqldbvradius1-a: EXPAND .query (1) sqldbvradius1-a: --> .query (1) sqldbvradius1-a: Using query template 'query' rlm_sql (sqldbvradius1-a): Reserved connection (5) (1) sqldbvradius1-a: EXPAND %{User-Name} (1) sqldbvradius1-a: --> a0327_rsa (1) sqldbvradius1-a: SQL-User-Name set to 'a0327_rsa' (1) sqldbvradius1-a: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (1) sqldbvradius1-a: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'a0327_rsa', '2812525337', 'Access-Reject', '2015-10-09 17:15:43') (1) sqldbvradius1-a: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'a0327_rsa', '2812525337', 'Access-Reject', '2015-10-09 17:15:43') (1) sqldbvradius1-a: SQL query returned: success (1) sqldbvradius1-a: 1 record(s) updated rlm_sql (sqldbvradius1-a): Released connection (5) (1) [sqldbvradius1-a] = ok (1) } # redundant (null) = ok (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> a0327_rsa (1) attr_filter.access_reject: Matched entry DEFAULT at line 18 (1) [attr_filter.access_reject] = updated (1) eap: Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 2.000000 seconds Waking up in 0.2 seconds. Waking up in 1.7 seconds. If I replcae my radgroupcheck; +----+--------------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+--------------+----------------+----+-------------+ | 1 | AdminRI | Auth-Type | := | LDAP | | 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP | | 3 | AdminRI_RSA | Auth-Type | := | PAMRSA | | 4 | AdminRI | Huntgroup-Name | =~ | Pool1|Pool2 | | 5 | AdminRI_MOTP | Huntgroup-Name | =~ | Pool3|Pool2 | | 6 | AdminRI_RSA | Huntgroup-Name | =~ | Pool3|Pool2 | +----+--------------+----------------+----+-------------+ with this +----+--------------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+--------------+----------------+----+-------------+ | 1 | AdminRI | Auth-Type | := | LDAP | | 2 | AdminRI_MOTP | Auth-Type | := | PAMMOTP | | 3 | AdminRI_RSA | Auth-Type | := | PAMRSA | | 4 | AdminRI | Huntgroup-Name | == | Pool1| | 5 | AdminRI_MOTP | Huntgroup-Name | == | Pool3 | | 6 | AdminRI_RSA | Huntgroup-Name | == | Pool2 | +----+--------------+----------------+----+-------------+ It 's a success but it's not what I want I want to use multiple huntgroups for the same NAS-Ip-Address What is the right configuration ? Is it possible to do and how ? Regards -- Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message etant susceptible d'alteration, l'emetteur decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. ----------------------------------- This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified.