MySQL: Checking Attributes for multiple values
Andreas Liebe
liebe at hrz.tu-darmstadt.de
Sun Jul 30 11:00:21 CEST 2006
I try to set up a FreeRadius where any user can be a member of one or
more groups. The groups should check which service the user is using.
Access should be granted if one of the groups has a match.
I used the docs at http://wiki.freeradius.org/index.php/Rlm_sql.
The 2 groups in this example should check if the request is coming from
concentrator A resp. B. If a user is member of both groups access should
be granted if he's either using A or B, but only access through A is
permitted. If a user is only member of group A or B then everything is
fine.
As it turns out the check for IP A is a match for the radius server and
thus access is denied because the IP in the request is B. But according
to the docs "==" should only match if both attribute and value matches.
I would expect the first the not to be a match and to try the 2nd test
next.
When I change the Attribute in the 1st test from NAS-IP-Address to an
attribute not in the request the access from IP B is granted.
Probably I misunderstood the checking algorithm. Can you give me a hint
how to configure this correctly?
I tested with FreeRadius 1.1.2 and a pre 1.0.
Thanks,
-Andreas
radcheck:
| id | UserName | Attribute | op | Value |
+------+-------------------------+-----------------+----+---------+
| 1 | joe | Password | == | blah |
radreply:
| id | UserName | Attribute | op | Value |
+----+-----------------+--------------+----+-------+
| 1 | joe | Fall-Through | = | Yes |
usergroup:
| id | UserName | GroupName |
+----+---------------------------+-----------+
| 1 | joe | My01group |
| 2 | joe | My02group |
radgroupcheck:
| id | GroupName | Attribute | op | Value |
+----+------------+----------------+----+-----------------+
| 1 | My01group | NAS-IP-Address | == | 10.11.12.13 |
| 2 | My02group | NAS-IP-Address | == | 10.11.12.14 |
More information about the Freeradius-Users
mailing list