Advanced SQL Auth/Generate clients.conf from SQL?

Dan Mahoney, System Admin danm at
Sat Feb 3 01:36:30 CET 2007

Hey all,

Two questions, related to SQL...


I recently became enamored by the power of SQL, and while I find no easy 
way through SQL to do multiple check-items easily in a logical 
fall-throughable order.

I.e. through SQL how would one do (for an entry level tech):

Jeremy nas-ip-address="the vpn server" password="x"
Service-Type = "Framed-User"

# Our switches, which we trust jeremy not to mess up
Jeremy password = "y"
Service-Type = "Admin-User"

Jeremy nas-ip-address="a big powerful router"
Service-Type = Reject

I see an easy way to return items based on group membership (which seems 
to be rather 1:n right now, i.e. it doesn't appear that a person can be a 
member of more than one group).

With the standard tables.  I.e. I'm not sure how the various items are 
"linked" and ordered where you are able to have multiple instances of the 
same usernames, but varying other auth attributes.

I do think I've found a happy medium (albeit with a more complex 
join/union system on the backend) -- but it involves embedding a lot of 
values into the query, which shouldn't be the case (I couldn't find a 
really-advanced example anywhere -- if anyone has one, I would LOVE to see 
it (as it translates to a "normal" users file.

I'm not using this for dialup, instead we're using it for network 
management (because RADIUS is a good common denominator, far better than 
tac+).  For that reason, we're going to have a lot of specific instances 
where we do (or don't) want people to have very specific types of access.


My second question is, now that I've got a list of all my NASes in 
SQL, has anyone written (or added to beta or something similar) code to do 
*those* via SQL?  Specifically we already have all our network devices 
(and shared secrets) in a SQL database anyway, and it would be cool to use 
them in realtime.

I could just as easily bang together a perl script for this, and throw it 
in a crontab with a HUP tool (every hour or whatnot) -- and I would be 
happy to contibute such a script, but I'd like to know I'm not reinventing 
the wheel (especially because SQL-realtime is so much cooler than "once an 

Any ideas GREATLY appreciated.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

More information about the Freeradius-Users mailing list