Hi everyone, I want to check two things in pre-auth. 1. Whether the user's network plan subscription is active or not. 2. Whether the data usage has crossed the Max-Data cap or not. In post-auth, update control { # 1. Checks whether the plan subscription is active or not. #Getting the subscription_from value from the radcheck table. Tmp-String-2 := "%{sql:select subscription_from from radcheck where radcheck.username='%{User-Name}'}" #Checking its been how many days from the date of subscription Tmp-Integer-3 := "%{sql:SELECT DATEDIFF(CURDATE(),subscription_from) FROM radcheck where radcheck.username = '%{User-Name}'}" #Getting validity(actual subscription duration) Tmp-Integer-2 := "%{sql:select validity from radcheck where radcheck.username='%{User-Name}'}" # 2. Checks whether the data usage has crossed the Max-Data or not. # Getting the current data usage (Data usage from subscription_from to current date) Tmp-Integer-0 := "%{sql:SELECT COALESCE((SUM(acctoutputoctets)-SUM(iptv_usage)),0) AS Total FROM radacct where (acctstarttime between DATE_FORMAT(NOW() ,(select subscription_from from radcheck where username='%{User-Name}')) AND NOW() ) AND radacct.username='%{User-Name}'}" #Value of Max-Data from the radgroupcheck for the group of the user Tmp-Integer-1 := "%{sql: SELECT radgroupcheck.value FROM radusergroup INNER JOIN radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username='%{User-Name}' AND radgroupcheck.attribute='Max-Data'}" #Getting the Mikrotik rate limit for applying FUP Tmp-String-1 := "%{sql: SELECT radgroupcheck.value FROM radusergroup INNER JOIN radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username='%{User-Name}' AND radgroupcheck.attribute='Mikrotik-Rate-Limit'}" } #check1 #Checking condition for plan subscription expiry (days from subscription > plan duration) if ("%{control:Tmp-Integer-3}" > "%{control:Tmp-Integer-2}") { update { control:Auth-Type := "Reject" reply:Reply-Message := "Your subscription has expired. Please renew your subscription to continue the service" } } #check2 #Checking whether usage exceeded the Max-Data cap if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-Integer-1}") { update reply { Reply-Message := "Your Bandwidth Limit has been reached" Mikrotik-Rate-Limit := "%{control:Tmp-String-1}" } } But in check1 I am always getting Access-Accept Also, is it possible to give two checks in update control? In logs I can see this. Mon Aug 8 16:13:24 2016 : Debug: (1) if ("%{control:Tmp-Integer-3}" > "%{control:Tmp-Integer-2}") { Mon Aug 8 16:13:24 2016 : Debug: (1) EXPAND TMPL XLAT STRUCT Mon Aug 8 16:13:24 2016 : Debug: (1) EXPAND %{control:Tmp-Integer-3} Mon Aug 8 16:13:24 2016 : Debug: (1) --> 47 Mon Aug 8 16:13:24 2016 : Debug: (1) EXPAND TMPL XLAT STRUCT Mon Aug 8 16:13:24 2016 : Debug: (1) EXPAND %{control:Tmp-Integer-2} Mon Aug 8 16:13:24 2016 : Debug: (1) --> 30 Mon Aug 8 16:13:24 2016 : Debug: (1) if ("%{control:Tmp-Integer-3}" > "%{control:Tmp-Integer-2}") -> TRUE Mon Aug 8 16:13:24 2016 : Debug: (1) if ("%{control:Tmp-Integer-3}" > "%{control:Tmp-Integer-2}") { Mon Aug 8 16:13:24 2016 : Debug: (1) update { Mon Aug 8 16:13:24 2016 : Debug: (1) control:Auth-Type := Reject Mon Aug 8 16:13:24 2016 : Debug: (1) Overwriting value "PAP" with "Reject" Mon Aug 8 16:13:24 2016 : Debug: (1) reply:Reply-Message := "Your subscription has expired. Please renew your subscription to continue the service" Mon Aug 8 16:13:24 2016 : Debug: (1) } # update = noop Mon Aug 8 16:13:24 2016 : Debug: (1) } # if ("%{control:Tmp-Integer-3}" > "%{control:Tmp-Integer-2}") = noop Mon Aug 8 16:13:24 2016 : Debug: (1) modsingle[post-auth]: calling exec (rlm_exec) for request 1 Mon Aug 8 16:13:24 2016 : Debug: (1) modsingle[post-auth]: returned from exec (rlm_exec) for request 1 Mon Aug 8 16:13:24 2016 : Debug: (1) [exec] = noop Mon Aug 8 16:13:24 2016 : Debug: (1) policy remove_reply_message_if_eap { Mon Aug 8 16:13:24 2016 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) { Mon Aug 8 16:13:24 2016 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Mon Aug 8 16:13:24 2016 : Debug: (1) else { Mon Aug 8 16:13:24 2016 : Debug: (1) modsingle[post-auth]: calling noop (rlm_always) for request 1 Mon Aug 8 16:13:24 2016 : Debug: (1) modsingle[post-auth]: returned from noop (rlm_always) for request 1 Mon Aug 8 16:13:24 2016 : Debug: (1) [noop] = noop Mon Aug 8 16:13:24 2016 : Debug: (1) } # else = noop Mon Aug 8 16:13:24 2016 : Debug: (1) } # policy remove_reply_message_if_eap = noop Mon Aug 8 16:13:24 2016 : Debug: (1) } # post-auth = ok Mon Aug 8 16:13:24 2016 : Debug: (1) Sent Access-Accept Id 69 from 127.0.0.1:1812 to 127.0.0.1:53474 length 0 Mon Aug 8 16:13:24 2016 : Debug: (1) Framed-Protocol = PPP Mon Aug 8 16:13:24 2016 : Debug: (1) Framed-MTU = 1500 Mon Aug 8 16:13:24 2016 : Debug: (1) Framed-Routing = Broadcast-Listen Mon Aug 8 16:13:24 2016 : Debug: (1) Framed-Compression = Van-Jacobson-TCP-IP Mon Aug 8 16:13:24 2016 : Debug: (1) Idle-Timeout = 300 Mon Aug 8 16:13:24 2016 : Debug: (1) Service-Type = Framed-User Mon Aug 8 16:13:24 2016 : Debug: (1) Acct-Interim-Interval = 60 Mon Aug 8 16:13:24 2016 : Debug: (1) Mikrotik-Rate-Limit = '6144k/6144k' Mon Aug 8 16:13:24 2016 : Debug: (1) Reply-Message := 'Your subscription has expired. Please renew your subscription to continue the service' Mon Aug 8 16:13:24 2016 : Debug: (1) Finished request Mon Aug 8 16:13:24 2016 : Debug: Waking up in 4.9 seconds. Please advice. -- Randeep Mob: +919447831699[kerala] Mob: +919880050349[B'lore] http://twitter.com/Randeeppr http://in.linkedin.com/in/randeeppr [image: --] Randeep Raman [image: http://]about.me/Randeeppr <http://about.me/Randeeppr>