check items in radgroupcheck?

Jiann-Ming Su su_js1 at yahoo.com
Wed Jun 2 23:35:26 CEST 2010


According to the rlm_sql:

  5. For each group this user is a member of, the corresponding check items
     are pulled from radgroupcheck table and compared with the request.  If
     there is a match, the reply items for this group are pulled from the
     radgroupreply table and applied.

How many "check items" will freeradius check through?  In my testing, it seems like on the first fail, it immediately goes to the next group.

For example, I have the following in my radgroupcheck table:

idgroupnameattributeopvalue
6mygroupPrefix==myprefix1
7mygroupPrefix==myprefix2
8mygroupAuth-Type:=Accept

In my testing, if the user with myprefix2 fails authentication because it doesn't match "Prefix==myprefix1" and freeradius immediately searches through the next group as specified:

  6. Processing continues to the next group IF:
     a. There was not a match for the last group's check items OR

If I take out "Prefix==myprefix1" then the myprefix2 user authenticates correctly.  Am I wrong in assuming freeradius will go through all check items for a group?  Should I simply create two groups:  mygroup1 and mygroup2?  Where mygroup1 has Prefix==myprefix1 and mygroup2 has Prefix==myprefix2?  

Thanks for any clarification.


      



More information about the Freeradius-Users mailing list