radgroup mysql question

John (yt) Hogenmiller ytjohn at gmail.com
Tue Oct 4 02:31:27 CEST 2005


Hi,

About two years ago I setup a freeradius server (as well as
integration with their accounting system) with a mysql backend.  Now,
I need to make a change and I'm looking at either rewriting the
programs or (hopefully) just making some changes to the
configuration/database data.

Basically I added a group to radgroupreply with all the attributes
that a normal, authorized user would need.  I added the user default
to that group and enabled default_user_profile in sql.conf.

Additionally, we created a "suspend" group that gave an Access-Reject.
 Anyone suspended by the accounting program is added to this group.

Later, we made a change... suspended accounts were allowed to connect
(Access-Accept), but they were given specific Ascend-Data-Filter
packets in order to restrict them to one server that allows them to
make payments.  The default dialin group also has Ascend-Data-Filter
packets (to restrict access to port 25 and 119 beyond our network).

The problem with this setup is that when a "suspend" user
authenticates to the freeradius server, it first grabs both the
attributes associated with the 'suspend' group AND the 'dialin' group.
 This means that we are sending two blocks of Ascend-Data-Filter
attributes.  With most of the equipment, this didn't cause a problem..
it took the first group and ignored the rest.  However, we have
recently started using some equipment that is reading both and ends up
allowing suspended users' traffic out.

So, that is the situation.  Basically, without individually putting
every current user into the dialin group (which involves a major
software re-write), is there a way to define a set of reply packets
that every (valid authenticated) user will receive, unless they are in
a group.  Or, to ask that a different way, people in the group
"suspend" should receive only the reply attributes associated with the
GroupName "suspend".  Everyone else should get a different, default
set of attributes (wether defined in radgroupreply or radreply makes
no difference to me).

Thanks in advance for any help that you can give,
John


--
YourTech, LLC - http://yourtech.us/
(this account is used for mailing lists)




More information about the Freeradius-Users mailing list