Hanno Schupp wrote:
I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots.
For that purpose I have inserted the code ... In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in the HOWTO.
You also seen to be over-riding that in the SQL tables:
`radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This sets the Huntgroup-Name to "Test".
One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the user is authenticated and not rejected.
You did not configure the server to reject the user if he logs in with that Called-Station-Id. You configured the server to put him in a huntgroup if he logs in with that Called-Station-Id. Did you configure the server to reject users in the "Test-Rejec" huntgroup? It looks like you didn't.
One thing I don’t get is, why is the rlm_sql_mysql module finding the Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not found?
There are explanations for that...
The user is found in radgroupchek for the correct usergroup ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted.
No. If the values in radgroupcheck do not match.... it means they do not match. You have *other* configurations that let the server authenticate the request. You did *not* configure the server to reject the request if it's in the "Test-Rejec" huntgroup. Alan DeKok.