SV: Make sense of SQL Huntgroup HOWTO?

Joel Bergmark joel.bergmark at t3.se
Fri Dec 18 16:51:28 CET 2015 

Thanks for the input, I see that the issue is that I'm not a coder and didn't realise the function fully. The howto implies that this will check and reject, but I see my misinterpretation.

But I don’t see how to deny login: if the user is not a member of the Houtgroup-Name then reject? 

I think the answer to this question should go up on the wiki, I emailed with several people that previously asked about this, but never got it working and gave up on freeradius.

Thanks for the assistance.

Kind regards, Joel



-----Ursprungligt meddelande-----
Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Matthew Newton
Skickat: den 18 december 2015 16:27
Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Ämne: Re: Make sense of SQL Huntgroup HOWTO?

On Fri, Dec 18, 2015 at 03:06:57PM +0000, Joel Bergmark wrote:
> In the sites-enabled/default I use as described in the HOWTO:
> 
>         update request {
>         Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" {
>         }
>         if (Huntgroup-Name == ''){
>         reject
>         }

So, reject if Huntgroup-Name is empty, right?

> I believe that the issue it the later of the above statement that 
> supposed to match and reject that's the problem but as many others I 
> can't figure out how to get this working.

>         NAS-IP-Address = 46.23X.XX.170
...
>         expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170'
...
>         expand: %{sql:SELECT groupname FROM radhuntgroup WHERE 
> nasipaddress='%{NAS-IP-Address}'} -> 3rdline

Huntgroup-Name is "3rdline"

> ++[request] returns ok
> ++? if (Huntgroup-Name == '')
> ? Evaluating (Huntgroup-Name == '') -> FALSE
> ++? if (Huntgroup-Name == '') -> FALSE

Doesn't reject because Huntgroup-Name isn't empty.

> Sending Access-Accept of id 105 to 46.23X.XX.170 port 1645

Can't see a problem here?

Matthew



--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list