group sensitive per user return attributes with rlm_sql

Hugh Messenger hugh at
Mon Jul 2 03:19:34 CEST 2007

I'm trying to work out (in 2.0.0) how to achieve "matching group specific
per user reply attributes" using rlm_sql, based on which group(s) matched
the authentication request.


So, for instance, a user might belong to both DIALUP and WIRELESS groups.
But I only want the per-user reply attributes relevant to the access request
being processed, for instance Mikrotik-Rate-Limit only gets set if the
request matched WIRELESS (via a huntgroup match).


As far as I can tell, this would require some surgery to rlm_sql, and an
additional (optional) CheckGroup column in the 'radreply' table:







So the authorize_reply_query could then be something like:


        authorize_reply_query = "\

SELECT id, UserName, Attribute, Value, op \

FROM ${authreply_table} \

WHERE Username = '%{SQL-User-Name}' \

AND (CheckGroup = '' OR CheckGroup IN(%{control:Matched-Groups})) 



Then if the request came from a NAS which has a matching check attribute for
the WIRELESS group, only 'radreply' items with CheckGroup of WIRELESS (and
those with no CheckGroup) would be returned.  So in this case,
Mikrotik-Rate-Limit and Some-Common-Attribute.


Obviously the surgery to rlm_sql would be in building
%{control:Matched-Groups}, which would mean shuffling some code around, as
currently the groups aren't looked at till after the per-user reply
attributes are processed.


Or is there some other way of doing this I'm spacing on?


   -- hugh


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list