Huntgroups issue - every user is accepted

Alan DeKok aland at
Mon Jan 19 10:29:01 CET 2009

Hanno Schupp wrote:
> I am trying to implement huntgroups via MySQL according to
> On difference is the
> assignment of huntgroups not according to NAS-IP, but to
> Called-Station-Id. The goal is to suppress roaming between hotspot
> routers, between groups of hotspots.
> For that purpose I have inserted the code
> In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in
> the HOWTO.

  You also seen to be over-riding that in the SQL tables:

> `radgroupcheck` 
> `id`, `GroupName`, `Attribute`, `op`, `Value` 
> 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'

  This sets the Huntgroup-Name to "Test".

> One would expect the user to be rejected if the user tries to log in to
> the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the
> user is authenticated and not rejected.

  You did not configure the server to reject the user if he logs in with
that Called-Station-Id.  You configured the server to put him in a
huntgroup if he logs in with that Called-Station-Id.

  Did you configure the server to reject users in the "Test-Rejec"
huntgroup?  It looks like you didn't.

> One thing I don’t get is, why is the rlm_sql_mysql module finding the
> Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not
> found?

  There are explanations for that...

> The user is found in radgroupchek for the correct usergroup
> ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do
> not match, the user should be rejected, but the user is accepted.

  No.  If the values in radgroupcheck do not match.... it means they do
not match.

  You have *other* configurations that let the server authenticate the
request.  You did *not* configure the server to reject the request if
it's in the "Test-Rejec" huntgroup.

  Alan DeKok.

More information about the Freeradius-Users mailing list