On Mon, Jun 22, 2015 at 2:14 PM, Alan DeKok <aland@deployingradius.com> wrote:
I just looking at this wrong....which I'm beginning to think I am. If the user does not need access, but needs to be created in the Freeradius database, then I should probably either 1.) reevaluate the real reason they "need" to be created or 2.) explicitly deny/disable that user, leaving all the other admins alone with default access.
Pretty much.
And just to be clear. I should configure all of that with the /etc/raddb/sites-enabled/default file right after the authorize -> sql section. Meaning, I should place all my sql if/else statements in that section. Right?
Yes.
Thanks again. In the end, this is the logic I came up with, and appears to be doing what I need it to do: # First, start with the "blanks". Meaning, no group, no NAS IP, no access...get out. if (("%{sql:SELECT `groupname` FROM `radusergroup` WHERE `username`='%{User-Name}'}" == '') || ("%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE `nasipaddress`='%{NAS-IP-Address}'}" == '')) { update reply { Reply-Message := "No known GroupName or NAS IP, get out" } reject } # Check for specific groups and NAS IPs, else default to get out. if ("%{sql:SELECT `username` FROM `radusergroup` WHERE `groupname` = 'Admins' AND `username` = '%{User-Name}'}" != '') { update reply { Reply-Message := "Welcome Admin, you may access any device." } } elsif (("%{sql:SELECT `username` FROM `radusergroup` WHERE `groupname` = 'VendorA' AND `username` = '%{User-Name}'}" != '') && (NAS-IP-Address == "10.0.0.1")) { update reply { Reply-Message := "Welcome VendorA, you may access 10.0.0.1" } } else { update reply { Reply-Message := "No known authorized access, get out." } reject } For future vendors, I see the "elsif" part growing, and changing....and that's about it. So far, all my tests are working, and not working as expected.