return ALL the AVPs for a username that belongs multiple groups

Lenir lenirsantiago at yahoo.com
Fri Oct 28 23:21:26 CEST 2005


Here's the rest of my config. Notice, that username 3000 belongs to group
Dialin and Dialin2. The user can register fine, however in this case the
Access-Accept packet only returns the AVPs related to group Dialin (I'm
guessing is because it's the first one that it matches).

mysql> select * from radcheck;
+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value    |
+----+----------+-----------+----+----------+
|  1 | Jhassell | Password  | == | changeme |
|  2 | Rneis    | Password  | == | changeme |
|  3 | 1000     | Password  | == | 1000     |
|  4 | 2000     | Password  | == | 2000     |
|  5 | 3000     | Password  | == | 3000     |
+----+----------+-----------+----+----------+
5 rows in set (0.00 sec)

mysql> select * from radreply;
Empty set (0.00 sec)

mysql> select * from usergroup;
+----+----------+------------+
| id | UserName | GroupName  |
+----+----------+------------+
|  1 | Jhassell | Dialin     |
|  2 | Rneis    | Staticdial |
|  3 | 1000     | Dialin     |
|  4 | 2000     | Dialin     |
|  5 | 3000     | Dialin     |
|  6 | 3000     | Dialin2    |
+----+----------+------------+
6 rows in set (0.00 sec)

mysql> select * from radgroupcheck;
Empty set (0.00 sec)

mysql> select * from radgroupreply;
+----+-----------+---------------+----+----------------------------------+--
---+
| id | GroupName | Attribute     | op | Value                            |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
0 |
|  2 | Dialin2   | SIP-AVP       | =  | Cust-AVP:feat_2                  |
0 |
|  3 | Dialin    | SIP-AVP       | =  | Cust-AVP:feat_1                  |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+
3 rows in set (0.00 sec)

mysql> select * from radpostauth;
Empty set (0.00 sec)

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
DeKok
Sent: Friday, October 28, 2005 1:34 PM
To: FreeRadius users mailing list
Subject: Re: return ALL the AVPs for a username that belongs multiple groups

"Lenir" <lenirsantiago at yahoo.com> wrote:
> Radius replies with the AVPs of the first group that it
> matches that the user belongs to. Instead of returning all the AVPs for
all
> the groups that the user belongs to. 

  The example you posted didn't include groups or reply AVP's.

> So I guess the question is, can a user belong to multiple groups? If so,
how
> can radius reply with all the AVPs that correspond to ALL the groups that
> the user belongs to?

  Yes, and you configure the server to do that.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list