Member of Group Check Else REJECT

Neville Collins nev at itsnev.co.uk
Wed Feb 1 01:57:01 CET 2012


Hi,

I'm trying to check if a user coming from a particular NAS, then check in
that user is also a member of a GROUP associated to that NAS, else REJECT
access.

Authorise sectionŠ..

if(NAS-Identifier == 'OpenVPN' && SQL-GROUP == 'openvpn') {
        update reply {
                Reply-Message := "OpenVPN AuthCheck OK"
        }
        reject
}
Š

Wed Feb  1 00:37:59 2012 : Info: ++? if (NAS-Identifier == 'OpenVPN' &&
SQL-GROUP == 'openvpn')
Wed Feb  1 00:37:59 2012 : Info: ? Evaluating (NAS-Identifier == 'OpenVPN' )
-> TRUE
Wed Feb  1 00:37:59 2012 : Info: sql_groupcmp
Wed Feb  1 00:37:59 2012 : Info: expand: %{User-Name} -> nev
Wed Feb  1 00:37:59 2012 : Info: sql_set_user escaped user --> 'nev'
Wed Feb  1 00:37:59 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 1
Wed Feb  1 00:37:59 2012 : Info: expand: SELECT groupname           FROM
radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER
BY priority -> SELECT groupname           FROM radusergroup           WHERE
username = 'nev'           ORDER BY priority
Wed Feb  1 00:37:59 2012 : Debug: rlm_sql (sql): Released sql socket id: 1
Wed Feb  1 00:37:59 2012 : Info: sql_groupcmp finished: User is NOT a member
of group openvpn


As user 'nev' is not part of group 'openvpn' but is trying to access NAS
'OpenVPN' it should Reject the login and not go any further, but it does
not.

I know I'm missing something, so any help would be greatly appreciated.

Thx
Nev




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120201/f766626a/attachment.html>


More information about the Freeradius-Users mailing list