Checking NAS-Identifier in the radgroupcheck table
Hi ! I am actually setting up a freeradius server that will manage authentication from different places (hotels actually). I am just a beginner toward that technology, and i have one problem : I need to create some accounts that can be enabled at different places: for example you have an account in a hotel in London, then you could use the same account in another hotel of the same chain in ... Madrid for example. But, you could not not use this account in another hotel using the same solution (all my hotels will talk to the same freeradius server). ... I hope you understand my English, sorry about that... So here is the point: I need to check for each account in the radcheck table where does the Access-Request comes from. As some of the NAS will get their IP dynamically from their ISP, I cannot use the NAS-IP-Address parameter, so I would like to use the NAS-Identifier. As some of my accounts could be active for requests coming from several NAS, I thought I could use the radgroupcheck table, in a way like that : radgroupcheck table : groupname | attribute | op | value myGroup | NAS-Identifier | == | myNASName This parameter works in the radcheck tables, if the request comes from a wrong NAS Identifier freeradius sends a Access-Reject, but in the radgroupcheck table, nothing happens ... Does anyone have an idea about that ? Thanks ! -- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_... Ivan Kalik Kalik Informatika ISP Dana 1/10/2008, "super_tomtom" <super_tomtom@hotmail.com> piše:
Hi ! I am actually setting up a freeradius server that will manage authentication from different places (hotels actually). I am just a beginner toward that technology, and i have one problem : I need to create some accounts that can be enabled at different places: for example you have an account in a hotel in London, then you could use the same account in another hotel of the same chain in ... Madrid for example. But, you could not not use this account in another hotel using the same solution (all my hotels will talk to the same freeradius server). .... I hope you understand my English, sorry about that... So here is the point: I need to check for each account in the radcheck table where does the Access-Request comes from. As some of the NAS will get their IP dynamically from their ISP, I cannot use the NAS-IP-Address parameter, so I would like to use the NAS-Identifier. As some of my accounts could be active for requests coming from several NAS, I thought I could use the radgroupcheck table, in a way like that :
radgroupcheck table : groupname | attribute | op | value myGroup | NAS-Identifier | == | myNASName
This parameter works in the radcheck tables, if the request comes from a wrong NAS Identifier freeradius sends a Access-Reject, but in the radgroupcheck table, nothing happens ...
Does anyone have an idea about that ? Thanks !
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok... so, here is my DB structure : Table radgroupcheck : +----+-----------+----------------+----+-------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------+ | 4 | hotel1 | Auth-Type | := | Local | | 5 | hotel1 | NAS-Identifier | == | LMS1 | +----+-----------+----------------+----+-------+ Table radusergroup : +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | user1 | hotel1 | 1 | +----------+-----------+----------+ Table radcheck: +----+----------+--------------------+----+----------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------------------------------+ | 33 | user1 | Cleartext-Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 | +----+----------+--------------------+----+----------------------------------+ Now when I log in with user1 from a NAS identified by "LMS2", here is the radius output : rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=37, length=225 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = "user1" CHAP-Challenge = 0xdb7c1d07effaa75dc2a70e21957a6c16 CHAP-Password = 0x003d1437701d38d34412b7379d215605df NAS-IP-Address = 10.101.0.1 Service-Type = Login-User Framed-IP-Address = 10.101.101.1 Calling-Station-Id = "00-1D-09-50-17-B2" Called-Station-Id = "00-1E-4F-DF-E2-58" NAS-Identifier = "LMS2" Acct-Session-Id = "48e484ab00000002" NAS-Port-Type = Wireless-802.11 NAS-Port = 2 WISPr-Logoff-URL = "http://10.101.0.1:3990/logoff" Message-Authenticator = 0x88ff270956703c81baa051c0bc3965fc +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "user1" with CHAP password rlm_chap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" for user user1 authentication. rlm_chap: chap user user1 authenticated succesfully ++[chap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 37 to 127.0.0.1 port 32782 Now as you can see, the radgroupcheck parameter NAS-Identifier == LMS1 did not mismatch... why ? super_tomtom wrote:
Hi ! I am actually setting up a freeradius server that will manage authentication from different places (hotels actually). I am just a beginner toward that technology, and i have one problem : I need to create some accounts that can be enabled at different places: for example you have an account in a hotel in London, then you could use the same account in another hotel of the same chain in ... Madrid for example. But, you could not not use this account in another hotel using the same solution (all my hotels will talk to the same freeradius server). ... I hope you understand my English, sorry about that... So here is the point: I need to check for each account in the radcheck table where does the Access-Request comes from. As some of the NAS will get their IP dynamically from their ISP, I cannot use the NAS-IP-Address parameter, so I would like to use the NAS-Identifier. As some of my accounts could be active for requests coming from several NAS, I thought I could use the radgroupcheck table, in a way like that :
radgroupcheck table : groupname | attribute | op | value myGroup | NAS-Identifier | == | myNASName
This parameter works in the radcheck tables, if the request comes from a wrong NAS Identifier freeradius sends a Access-Reject, but in the radgroupcheck table, nothing happens ...
Does anyone have an idea about that ? Thanks !
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Not only that but Auth-Type Local also wasn't forced. Adding it there is a mistake in the first place but it still didn't work. What freeradius version is this? Add Reply-Message to radgroupreply and see if that shows in the reply. Ivan Kalik Kalik Informatika ISP
Thanks Ivan for your answer. My freeradius version is 2.0.5. I added a Reply-Message in the radgroupreply table like this : +----+-----------+---------------+----+-------------------------+ | id | groupname | attribute | op | value | +----+-----------+---------------+----+-------------------------+ | 1 | hotel1 | Reply-Message | = | You are in hotel1 group | +----+-----------+---------------+----+-------------------------+ and when I launch the radtest command, it doesn't seems to send it : #> radtest user1 5f4dcc3b5aa765d61d8327deb882cf99 127.0.0.1 3990 testing123 Sending Access-Request of id 229 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "5f4dcc3b5aa765d61d8327deb882cf99" NAS-IP-Address = 127.0.0.1 NAS-Port = 3990 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=229, length=26 Idle-Timeout = 60 On the server side, here is what happens : rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=141, length=73 User-Name = "user1" User-Password = "5f4dcc3b5aa765d61d8327deb882cf99" NAS-IP-Address = 127.0.0.1 NAS-Port = 3990 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "5f4dcc3b5aa765d61d8327deb882cf99" rlm_pap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" rlm_pap: User authenticated successfully ++[pap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 141 to 127.0.0.1 port 32782 Idle-Timeout = 60 Finished request 22. ...well... doesn't seems to change anything... I added an Idle-Timeout parameter in the radreply table, this one works fine, but in the radgroupreply table, it looks like it ignores it. Another thing, I didn't really understood the first part of your answer:
Not only that but Auth-Type Local also wasn't forced. Adding it there is a mistake in the first place but it still didn't work.
Could you explain me this please? Thanks ! tnt-4 wrote:
Not only that but Auth-Type Local also wasn't forced. Adding it there is a mistake in the first place but it still didn't work.
What freeradius version is this? Add Reply-Message to radgroupreply and see if that shows in the reply.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Something is wrong here:
rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok
This is the debug from my 2.0.5 test server: rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifi' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifi' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifi' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifi' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'wifi' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'wifi' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hs256' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hs256' ORDER BY id rlm_sql (sql): User found in group hs256 expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hs256' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hs256' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok It has calls to rlm_sql_mysql and also reports: rlm_sql (sql): User found in group hs256. There is no such stuff in your debug. Have you copied sql.conf from an older version? And not used sql.conf and dialup.conf.
Another thing, I didn't really understood the first part of your answer:
Not only that but Auth-Type Local also wasn't forced. Adding it there is a mistake in the first place but it still didn't work.
Could you explain me this please?
Don't force Auth-Type. It's mentioned in numerous places in documentation, website and this list. Let server sort it out. That entry would have diverted the server from doing chap. Good thing it didn't work. Ivan Kalik Kalik Informatika ISP
Ok thanks a lot for your answer ! The Reply-Message did not come because of the '==' operator in the radgroupcheck table. So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot portal), the condition NAS-Identifier == LMS2 matches, so radius puts me to the "hotel1" group. If it doesn't match (while using radtest command for example), it continues the login process, but considering that i don't own any group... So in my problem explained before, the user can log in even if he's not recognized as coming from the hotel he was expected to come from... What I would like to find is a way to allow a users to log in, only if they have been attributed to a group... About my sql.conf file, it seems to be the one delivered in the release 2.0.5. Here it is : sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "login" password = "password" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf } By the way I removed the Auth-Type as you advised to me, that was one thing that stayed from the first tutos I followed, that I did not really understood ;) tnt-4 wrote:
Something is wrong here:
rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id
-> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok
This is the debug from my 2.0.5 test server:
rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifi' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifi' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifi' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifi' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'wifi' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'wifi' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hs256' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hs256' ORDER BY id rlm_sql (sql): User found in group hs256 expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hs256' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hs256' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok
It has calls to rlm_sql_mysql and also reports: rlm_sql (sql): User found in group hs256. There is no such stuff in your debug.
Have you copied sql.conf from an older version? And not used sql.conf and dialup.conf.
Another thing, I didn't really understood the first part of your answer:
Not only that but Auth-Type Local also wasn't forced. Adding it there is a mistake in the first place but it still didn't work.
Could you explain me this please?
Don't force Auth-Type. It's mentioned in numerous places in documentation, website and this list. Let server sort it out.
That entry would have diverted the server from doing chap. Good thing it didn't work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot portal), the condition NAS-Identifier == LMS2 matches, so radius puts me to the "hotel1" group. If it doesn't match (while using radtest command for example), it continues the login process, but considering that i don't own any group... So in my problem explained before, the user can log in even if he's not recognized as coming from the hotel he was expected to come from... What I would like to find is a way to allow a users to log in, only if they have been attributed to a group...
Ah, failed check in sql groups won't reject the user. It will just cause group info to be ignored. This is to allow the user to be a member of multiple groups - if he doesn't match one, then checks go on to next one with lower priority etc. Use radcheck for checks that should reject the user. Ivan Kalik Kalik Informatika ISP
Ok that brings me back to my initial problem... My first try was to put in the radcheck table a condition like this : NAS-Identifier == LMS2 This works very fine, but limits to only one NAS Identifier. I need to allow some clients to log in from different NAS ids... Is there a way to put multiple conditions in the radcheck table such as (NAS-Identifier == LM1) || (NAS-Identifier == LMS2) ? Thanks tnt-4 wrote:
So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot portal), the condition NAS-Identifier == LMS2 matches, so radius puts me
to
the "hotel1" group. If it doesn't match (while using radtest command for example), it continues the login process, but considering that i don't own any group... So in my problem explained before, the user can log in even if he's not recognized as coming from the hotel he was expected to come from... What I would like to find is a way to allow a users to log in, only if they have been attributed to a group...
Ah, failed check in sql groups won't reject the user. It will just cause group info to be ignored. This is to allow the user to be a member of multiple groups - if he doesn't match one, then checks go on to next one with lower priority etc.
Use radcheck for checks that should reject the user.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Use huntgroups. You group users into groups and devices into huntgroups. Ivan Kalik Kalik Informatika ISP Dana 2/10/2008, "super_tomtom" <super_tomtom@hotmail.com> piše:
Ok that brings me back to my initial problem... My first try was to put in the radcheck table a condition like this : NAS-Identifier == LMS2 This works very fine, but limits to only one NAS Identifier. I need to allow some clients to log in from different NAS ids... Is there a way to put multiple conditions in the radcheck table such as (NAS-Identifier == LM1) || (NAS-Identifier == LMS2) ? Thanks
tnt-4 wrote:
So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot portal), the condition NAS-Identifier == LMS2 matches, so radius puts me
to
the "hotel1" group. If it doesn't match (while using radtest command for example), it continues the login process, but considering that i don't own any group... So in my problem explained before, the user can log in even if he's not recognized as coming from the hotel he was expected to come from... What I would like to find is a way to allow a users to log in, only if they have been attributed to a group...
Ah, failed check in sql groups won't reject the user. It will just cause group info to be ignored. This is to allow the user to be a member of multiple groups - if he doesn't match one, then checks go on to next one with lower priority etc.
Use radcheck for checks that should reject the user.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp1... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
super_tomtom -
tnt@kalik.net