freeradius and ADSL-Agent-Circuit-Id

Mike mike-freeradius at tiedyenetworks.com
Thu Jul 29 00:36:47 CEST 2010 


Johan Meiring wrote:
> On 2010/07/21 11:00 AM, Alan DeKok wrote:
>>
>> authorize {
>>     ...
>>     if (ADSL-Agent-Circuit-Id&&  \
>>         ("%{sql: select ...}")) {
>>         update control {
>>             Auth-Type := Accept
>>         }
>>
>>     }
>>     else {
>>         reject
>>     }
>>
>> }
>>
>
> I disagree with the logic slightly.
> In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does 
> not exist.
>
> As fas as I understand, the desireable result is:
> If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication 
> must happen.
> If it *does* exist, accept or reject, depending on its value.
>
> Would this not work better?
>
> authorize {
>     ...
>     if (ADSL-Agent-Circuit-Id) {
>         if ("%{sql: select ...}") {
>             update control {
>                 Auth-Type := Accept
>             }
>         }
>         else {
>             reject
>         }
>     }
> }
>
>
>
I have been attempting to implement this advice. I can use a 'select 
count(*)' sql query and based on wether the value is 1, I can then set 
Auth-Type := Accept just like it's written above. But, there's 
additional processing that is desireable that I just can't figure out 
how to do here. Instead of just blindly setting Accept, I might want to 
proceed with having the sql module do group processing and so forth to 
finally accumulate all of the reply attributes that apply to this 
request. Maybe that reply is 'Auth-Type := Reject" but then others 
contain 'Accept' along with framed-ip-address and so forth. This would 
involve using a modified sql query in the event that 
ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any way 
at run time to make that selection.

I am getting the impression that perhaps I need to run maybe a second 
server that has it's sql configured with queries tailored for the 
presence of this attribute, and then proxy requests from the primary 
server to this one in this case. I could probably run it on lookback on 
another port so that the radius clients don't have to know anything 
about it. Still it's a bit of work but that seems to be the only way 
possible to make sql query one database if the attribute is present, and 
query another if it's not (or, use different queries).

Would love more insight if anyone cares to share.

Thank you.

More information about the Freeradius-Users mailing list