Different reply attributes for same username in rlm_sql

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 4 15:29:45 CET 2013

On 04/01/13 14:18, Joe Rogers wrote:
> I am having difficulties implementing the following users file
> configuration in sql using freeradius 2.2.0:
> user1     Calling-Station-Id == "xx-xx-xx-xx-xx-xx"
>          Tunnel-Private-Group-ID = VLAN1,
>          Tunnel-Medium-Type = IEEE-802,
>          Tunnel-Type = VLAN
> user1     Calling-Station-Id == "yy-yy-yy-yy-yy-yy"
>          Tunnel-Private-Group-ID = VLAN2,
>          Tunnel-Medium-Type = IEEE-802,
>          Tunnel-Type = VLAN
> I'm attempting to send different reply attributes for the same username
> based on different check attributes.  But, I'm having a hard time seeing
> how this is possible with rlm_sql using the default
> authorize_check_query and authorize_reply_query settings.  I can
> certainly re-write those queries, but I'm hoping that I'm simply
> overlooking the proper way to configure this.

I think you need to rewrite the queries. IIRC there is no way to have >1 
set of radcheck/radreply users for a single user; the check/reply 
entries are merged.

You can probably (ab)use the groups functionality to do this.

Or, don't use the radcheck/radreply stuff at all; instead use an SQL 
xlat in "unlang":

post-auth {
   update reply {
     Tunnel-Private-Group-ID = "%{sql:select vlan ... where ...}"
     Tunnel-Medium-Type = IEEE-802
     Tunnel-Type = VLAN

More information about the Freeradius-Users mailing list