How to allow nas'es to serve only groups of clients?

Alexander Solodukhin alt at softwarium.net
Thu Mar 12 12:57:16 CET 2009 

Thank you for help. I try to do as you say and put this to authorize  
section after preprocess:

        preprocess

         # allow  hotspot users only
         if (SQL-Group != 'Spot') {
                 reject
         }

Here debug on this action:

++? if (SQL-Group != 'Spot')
sql_groupcmp
         expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
         expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
    ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
? Evaluating (SQL-Group != 'Spot') -> TRUE
++? if (SQL-Group != 'Spot') -> TRUE
++- entering if (SQL-Group != 'Spot') {...}
+++[reject] returns reject
++- if (SQL-Group != 'Spot') returns reject

strange behaviour, user 'spot2' belongs to group 'Spot', but if clause  
return TRUE and reject returned.

Other strange thing is user 'test2' which do not a member of 'Spot' group,  
but if clause do not work for them:

++? if (SQL-Group != 'Spot')
sql_groupcmp
         expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 4
         expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
    ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
sql_groupcmp finished: User is NOT a member of group Spot   <------ and  
not reject here
++[chap] returns noop
++[mschap] returns noop


Here spot2 and test2 groups:

mysql> select * from radusergroup where username='spot2' or  
username='test2';
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| spot2    | Spot      |        1 |
| test2    | VPN       |        1 |
+----------+-----------+----------+
2 rows in set (0.01 sec)



On Thu, 12 Mar 2009 12:12:15 +0200, <tnt at kalik.net> wrote:

>> I use rlm_sql to store user attributes, but i thought sql groups it's
>> internal feature of rlm_sql and not related to radius server at all.
>>
>
> It is internal, but SQL-Group can be used in other modules too. If you
> check SQL-Group in, lets say, users file, rlm_sql will be called and
> value of SQL-Group will be compared to values in radusergroup for that
> User-Name. If there is a match ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See  
> http://www.freeradius.org/list/users.html



-- 
ISP CrIS, Softwarium

More information about the Freeradius-Users mailing list