On 23/03/2017 05:34, gh.li@microshield.com.cn wrote:
I have extented radcheck tables with field user_ssid,so the records like:
and change the authorize_check_query statement to: "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
but I donot get the correct sql statement: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id Are you sure the incoming request contains an "Aruba_Essid_Name" attribute? According to the dictionary I have here, it should have dashes and not underscores:
share/dictionary.aruba:ATTRIBUTE Aruba-Essid-Name 5 string However, there's a better way to do what you're doing: separate authentication (who you are) from authorization (what you are allowed to do). In the sql tables, you can do this using groups. (1) Make each of your employee accounts members of an 'employee' group (insert into the usergroup_table which is by default called "radusergroup") (2) Add your authorization rules into unlang, in a policy entry called from your authorize{} or post-auth{} section wireless_authz { if (&Aruba-Essid-Name == "SSID-EMP" && not (&SQL-Group[*] == 'employee')) { reject } } (It might be possible to hack something together using the radgroupcheck table, but the unlang approach is simple and explicit) HTH, Brian.