prevent roaming configuration question

isidoros webmaster at
Mon Oct 2 09:08:36 CEST 2006

James Wakefield wrote:
> isidoros wrote:
>> Goal:
>> users X,Y,Z should only be authenticated on NAS1 and not on NAS2 or 
>> any other nas
>> users A,B,C should only be authenticated on NAS2 and not on NAS1 or 
>> any other nas
>> etc
> G'day,
> You'll probably want users X,Y,Z mapped to one group (let's say, G1), 
> and A,B,C mapped to another (let's say, G2) in your usergroup table. 
> You can then use NAS-IP-Address as a check item in radgroupcheck to 
> authorize only G1 from NAS1's IP address, and authorize only G2 from 
> NAS2's IP address.  You shouldn't have to touch any of the SQL queries 
> in sql.conf.
> should provide the info you need to 
> do the above.
> Cheers,
Thanks James for your answer,

I'm fairly new to freeradius I know the package only 14 days. (or radius 
in general for that matter)

The group configuration is a mystery to me. It is unclear for me how 
this separates the users. This is how I think
1) G1 with users A,B,C
2) G2 with users X,Y,Z
3) At a request the configuration determines which group the user belongs to
4) And makes a query for the users A until Z to the same database
5) the auth_query only talks about the user.
6) This is the point where a fail to understand that the group config 
helps me. The query is made to the same database on behalf of the any user.

Please spell it out to me where my thinking goes wrong. I would like the 
understand this group config thing better (if at all at this point in time).

In the meanwhile:
I have solved the problem with the below changes:

in sql.conf replace this rule with:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND \
Location = (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \

in mysql

fill the nas table with your info:
INSERT INTO nas (nasname, nasshortname, type, secret, Location) VALUES 
('yournasname in chillspot', 'anyname' , 'other', 'shared secret', 
'Location-number '.  );

It works, but I have no idea if this is "best practice" or I'm seriously 
damaging the config.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list