Reject user if does not match group's checks

Alan DeKok aland at
Mon Aug 6 08:14:06 CEST 2012

Andrei Petru Mura wrote:
> I can have many groups. For any group, let's suppose I have declared in
> radgroupcheck many attributes (like Session-Timeout, Idle-Timeout,
> Login-Time, ...). 

  Login-Time is a check attribute.  Session-Timeout and Idle-Timeout are

> Now I want that any user that tries to authenticate,
> no matter what group belongs to, if does not meet successfully the group
> checks, should be rejected.

  This isn't really how group checks work.  The limitation is due to the
mathematical way group membership works, and not to FreeRADIUS.

> So, instead of adding in radcheck all
> group's attributes for every user, I want to have them only in
> radgroupcheck. That's the idea. (I think that will help FR work faster
> when there's a great amount of users.) Is that possible?

  I have no idea what you think you're doing.  So I'm not sure how to
answer the questions.  Please read doc/rlm_sql.  It describes in
*detail* how the SQL module works.

  If you want to configure something for the user, make sure that it
follows doc/rlm_sql.  Then, it should work.

  The problem seems to be you're trying to configure "something" without
fully understanding how the server works.  So you're confused that your
configuration doesn't do what you want.  And you want to know how to
"fix" the configuration.

  The answer is this:  Don't fix the configuration.  Fix your
understanding of rlm_sql.

  Once you understand how it works, creating a configuration that works
should be pretty simple.

> P.S. You directed me to FAQ, but I can't understand how to achieve that,
> even after read FAQ. I'm a kind of newbie to FR. I explained my scenario
> in hopes I made myself understood.

  Longer explanations are better.

  Alan DeKok.

More information about the Freeradius-Users mailing list