Reject user if does not match group's checks

Andrei Petru Mura mapandrei at
Mon Aug 6 09:29:36 CEST 2012

On Mon, Aug 6, 2012 at 9:14 AM, Alan DeKok <aland at>wrote:

> Andrei Petru Mura wrote:
> > I can have many groups. For any group, let's suppose I have declared in
> > radgroupcheck many attributes (like Session-Timeout, Idle-Timeout,
> > Login-Time, ...).
>   Login-Time is a check attribute.  Session-Timeout and Idle-Timeout are
> not.
> Yes, I know. My mistake.

> > Now I want that any user that tries to authenticate,
> > no matter what group belongs to, if does not meet successfully the group
> > checks, should be rejected.
>   This isn't really how group checks work.  The limitation is due to the
> mathematical way group membership works, and not to FreeRADIUS.
> Yes, I know. But that's exact the behavior that I want to get from FR. How
to make it working like that?

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list