Check line and radgroupcheck evaluation question

Matt Hite lists at
Wed Jun 16 10:18:11 CEST 2010


Are check lines in the "users" file short-circuit "AND" evaluated from
left to right? Extrapolating this presumption out to radgroupcheck
when using a MySQL database, are the check items evaluated simply in
order of column id value (ie. the order they are returned from the

authorize_group_check_query = "SELECT id, groupname, attribute,
   Value, op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id"

Just trying to wrap my head around how one might do something useful
with radgroupcheck. I guess you are supposed to be able to match some
condition on the row whose group matches with the lowest column ID and
then subsequent rows that also have the same matching group (with
higher column ID's) can be used to set attributes or look for further
requisite conditions?

I am actually wanting to reject connections when groups of users come
in on the wrong huntgroup. I've seen significant discussion and
confusion in the mailing list archives in regards to this. Most of the
time I see people say "use radcheck to reject." I did spot a gem from
Ivan Kalik, though, which led me down this path.

>>However, the issue remains:
>>I do not want the user to be rejected per se. I only want the user to be
>>rejected if her own huntgroup as stored in radgroupcheck is different from
>>he huntgroup of the Called-Station-Id in the radhuntgroup table. The goal
>>is to prevent a user to login to a hotspot router, that does not belong to
>>the huntgroup the user belongs to.
>Hm, and what do you think:
>>> Huntgroup-Name != "Test", Auth-Type := Reject
>that does? As a joke, put them in radgroupcheck and see if it does
>*exactly* what you have described.

Thanks for your help,


More information about the Freeradius-Users mailing list