Matter of Life and Death - SQL and Proxy
Hello, I work in a Carrier and have an important question regarding SQL query check: I need to check a value in authorize_check_query (oracle-dialup.conf) to see if the user has paid his ADSL service. If he did paid the service, the request would be proxied to the ISP radius to authenticate the user, otherwise, the access needs to be rejected. So , the query would be checked like that: authorize_check_query = "SELECT id,UserName,Attribute,Value,op,PAID FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND PAID = 'YES' ORDER BY id" The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour). What can I do to reject the request and not proxy it? Please help! Thank you.
On Tue 19 Sep 2006 19:48, Guilherme Franco wrote:
Hello,
I work in a Carrier and have an important question regarding SQL query check:
I need to check a value in authorize_check_query (oracle-dialup.conf) to see if the user has paid his ADSL service. If he did paid the service, the request would be proxied to the ISP radius to authenticate the user, otherwise, the access needs to be rejected. So , the query would be checked like that:
authorize_check_query = "SELECT id,UserName,Attribute,Value,op,PAID FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND PAID = 'YES' ORDER BY id"
The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour).
What can I do to reject the request and not proxy it?
We do exactly these types of checks, but we put them all inside a stored procedure. That way, if one of the checks doesn't match, you simply have it return "Auth-Type := Reject" Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
"Guilherme Franco" <guilhermefranco@gmail.com> wrote:
The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour).
What can I do to reject the request and not proxy it?
Configure an SQL module instance *just* for this query. See doc/configurable_failover for an example "sql sql1 ...". Let's call this module "is_paid". See doc/configurable_failover again for what to do on module return codes. Then in the "authorize" section, do: ... is_paid { notfound = reject } ... This will make the user be rejected if they are not paid up. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thank you very much, I will test it out In the mean time I figured out to use radgroupcheck with values Auth-Type=Reject and some users associated to that usergroup. Thanks again! 06, Alan DeKok <aland@deployingradius.com> wrote:
"Guilherme Franco" <guilhermefranco@gmail.com> wrote:
The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour).
What can I do to reject the request and not proxy it?
Configure an SQL module instance *just* for this query. See doc/configurable_failover for an example "sql sql1 ...". Let's call this module "is_paid". See doc/configurable_failover again for what to do on module return codes.
Then in the "authorize" section, do: ... is_paid { notfound = reject } ...
This will make the user be rejected if they are not paid up.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Guilherme Franco -
Peter Nixon