On Dec 18, 2015, at 11:30 AM, Joel Bergmark <joel.bergmark@t3.se> wrote:
What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.
Then write that down. It's pretty much that simple. if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) { reject } This assumes that the NAS groups are in Huntrgroup, and the user groups are in SQL.
Assuming a user in 2ndline group trying to login to a NAS defined in huntgroup to be 3rdline update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" { }
Formatting matters. update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" } Extra braces are a problem.
if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query) reject }
Nope. Just use my example from above. It's simpler. That is, it assumes that the user groups are in SQL, too.
Sorry if this is something not supposed to be dealt with on this mailing list,
It is exactly what's supposed to be discussed here.
but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.
That would be nice. Alan DeKok.