authorization: unlang/NAS-IP-Address

Alan DeKok aland at
Wed Jul 23 15:11:16 CEST 2008

leopold wrote:
> If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
> should be accepted and reply attributes are sent back
> If however if user is coming from NAS-IP-Address y.y.y.1 he should be
> rejected (even in the case he provide a valid password and NAS y.y.y.1 is
> properly defined in NAS table with a valid shared key)

  It's a little difficult to do that with just the SQL module.

> Since I found that only one operator "==" for NAS-IP-Address check attrubute
> can be found, I changed 
> authorize_group_check_query, but still I managed to get reply list as empty
> for invalid NAS-IP and expected attributes from valid NAS (which is part of
> check attributes) but user is accepted in both cases.
> Is there a way to check if "reply" list is empty in unlang (does not contain
> ANY attributes)?

  No.  However, see the return code from SQL.  If it doesn't find the
user, it should return "notfound", or "noop".  Read the debug output to
see more.  You can then do:

	if (notfound) {

  Which is what you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list