prevent roaming configuration question

James Wakefield jamesw at
Mon Oct 2 10:15:26 CEST 2006

isidoros wrote:

> Thanks James for your answer,
> I'm fairly new to freeradius I know the package only 14 days. (or radius 
> in general for that matter)
> The group configuration is a mystery to me. It is unclear for me how 
> this separates the users. This is how I think
> 1) G1 with users A,B,C
> 2) G2 with users X,Y,Z
> 3) At a request the configuration determines which group the user belongs to
> 4) And makes a query for the users A until Z to the same database
> 5) the auth_query only talks about the user.
> 6) This is the point where a fail to understand that the group config 
> helps me. The query is made to the same database on behalf of the any user.
> Please spell it out to me where my thinking goes wrong. I would like the 
> understand this group config thing better (if at all at this point in time).

Hi Isidoros,

In sql.conf,

authcheck_table = "radcheck"
authreply_table = "radreply"

groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"

usergroup_table = "usergroup"

groupcheck_table and usergroup_table are referred to here:

authorize_group_check_query = "SELECT 
  FROM ${groupcheck_table},${usergroup_table} WHERE 
${usergroup_table}.Username = '%{SQL-User-Name}' AND 
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY 

This retrieves all the check items that apply to the group the user 
belongs to.  The usergroup table maps users to groups, and radgroupcheck 
maps groups to check items.  A check item, which will be a new term to 
you if you're a newbie, is an expression which is evaluated when 
deciding whether or not to authorize a request, such as User-Password == 
"mypassword", or Calling-Station-Id != "5554796".

When rlm_sql is invoked to authorize a request, the user's check items 
in radcheck are evaluated.  When the user is in a group, this might only 
be to check User-Password.  Then, authorize_group_check_query is used to 
  retrieve check items for the user's group, which are then evaluated. 
If all the applicable check items, from both radcheck and radgroupcheck, 
match, then the reply items - Attribute=Value pairs sent from freeradius 
to the NAS when it sends the Access-Accept message for an authorized 
request - are retrieved by querying radreply, for reply items specific 
to the user, and radgroupreply, for reply items specific to the user's 

Make any more sense?

> In the meanwhile:
> I have solved the problem with the below changes:
> in sql.conf replace this rule with:
> authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
> FROM ${authcheck_table} \
> WHERE Username = '%{SQL-User-Name}' AND \
> Location = (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \
> ORDER BY id"
> in mysql
> fill the nas table with your info:
> INSERT INTO nas (nasname, nasshortname, type, secret, Location) VALUES 
> ('yournasname in chillspot', 'anyname' , 'other', 'shared secret', 
> 'Location-number '.  );
> It works, but I have no idea if this is "best practice" or I'm seriously 
> damaging the config.

Best practice is to not change any code if you don't have to.  By using 
groups, you don't have to change any code.  I wouldn't say you've 
"seriously damaged" the config, but you may find that it doesn't behave 
in the future.  I would recommend spending the time getting groups and 
group checks to work, then reverting any SQL queries you've altered back 
to their defaults.  It'll be much less painful in the long run.


James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   james.wakefield at

More information about the Freeradius-Users mailing list