Make sense of SQL Huntgroup HOWTO?

[Alan DeKok]

On Dec 18, 2015, at 11:30 AM, Joel Bergmark <joel.bergmark at t3.se> wrote:
> What I want to do is to control users belonging to group "2ndline" to only access specific nas defined as 2ndline in the huntgroups. If a member of 2ndline tries to login to a NAS defined to 3dline or any other group freeradius should deny access.

  Then write that down.  It's pretty much that simple.

	if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
		reject
	}

  This assumes that the NAS groups are in Huntrgroup, and the user groups are in SQL.

> Assuming a user in 2ndline group trying to login to a NAS defined in huntgroup to be 3rdline 
> update request {
>        Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" {
>        }

  Formatting matters.

update request {
	Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
}

  Extra braces are a problem.

>        if (Huntgroup-Name != users groupname 2ndline (I imagine this to be a sql query)
>        reject
>        }

  Nope.  Just use my example from above.  It's simpler.

  That is, it assumes that the user groups are in SQL, too.

> Sorry if this is something not supposed to be dealt with on this mailing list,

  It is exactly what's supposed to be discussed here.

> but the alternative is to set up double radius servers, and that seems backwards. I will document the solution to this on the wiki, if I get it working.

  That would be nice.

  Alan DeKok.