design question

Arran Cudbard-Bell a.cudbardb at
Wed Mar 6 04:17:12 CET 2013

On 5 Mar 2013, at 18:03, Matt Zagrabelny <mzagrabe at> wrote:

> On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell
> <a.cudbardb at> wrote:
>> You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices?
> Hi Arran,
> Thanks for the reply. I've grepped the wiki and mailing list archives
> and could not answer the following:
> What do I change in the nas table (in the database) to mark the
> network boxes as "special devices"? I see the schema as:
> nasname VARCHAR(128) NOT NULL,
> shortname VARCHAR(32) NOT NULL,
> type VARCHAR(30) NOT NULL DEFAULT 'other',
> ports int4,
> secret VARCHAR(60) NOT NULL,
> server VARCHAR(64),
> community VARCHAR(50),
> description VARCHAR(200)
> );
> Is it the "server" field? If so, could you also briefly explain how to
> apply that to group matching? (I have added users to groups using the
> usergroup table, but haven't touched the radgroupcheck/reply yet.)

So long as you're using static devices in clients.conf you can use the xlat expansion "%{client:<config item>}".

Add an extra string attribute to raddb/dictionary, something like Client-Group, then populate it before calling the sql module.

authorize {
	update request {
		Client-Group := "%{client:group}"

Then add a 'group' config item in the client {} definition.

You can then use Client-Group as a check item.


> Thanks for any help!
> -mz
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list