Huntgroup Implementation with MySQL and Radgroupcheck

Jenny Blunt jennyshoehorn at
Thu Jul 26 11:27:07 CEST 2012

Hi Phil, thanks for the reply and help. Have been in a pickle with this for an age.

Could you confirm that the query at the bottom should go in the sites-available/default file in the auth section?

Huntgroups work with radcheck but understand I need a separate attr now (at last)!

On Jul 26, 2012, at 10:07 AM, Phil Mayers <p.mayers at> wrote:

On 07/26/2012 09:51 AM, Jenny Blunt wrote:
> I'm looking for some help with the implementation of huntgroups.
> Am using mysql and have followed the following topic through:
> In sites-available/default I have this, (just after preprocess:
> update request {
> Huntgroup-Name := "%{sql:SELECT `groupname` FROM
> `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"
> }

Don't do this.

Read the 2nd email in the thread you linked to.

Huntgroup-Name is a special attribute; comparisons are executed 
dynamically. You can't just use it like an ordinary string attribute.

Define another attribute in raddb/dictionary:

ATTRIBUTE SQL-Location 3010 string

...and use that.

> authorize_group_check_query = "SELECT id, groupname, attribute_name, \
> Value, op \
> FROM ${groupcheck_table} \
> WHERE ( groupname = '%{Sql-Group}' OR groupname =
> '%{Huntgroup-Name}' ) \
> ORDER BY id"
> (Which doesn't make logical sense to me)

It doesn't make sense to me either. So why do it?

> What I'm failing to get my head around is how to reject or allow access
> based on the location their dialing in from?
> For example, a user from IP 1.x.x.x should be allowed access at location
> 1 only.

I don't know what this means.

Write down the policy you want in plain english. Figure out what sources 
of data you need to execute that policy. Read those sources of data into 
attributes. Write a policy to check them.

For example:

authorize {
update request {
SQL-Location = "%{sql:select location from ...}"
if (NAS-IP-Address =~ /^1\./) {
if (SQL-Location != "Location 1") {
List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list