Variable expansion for SQL attributes

Javier Matos Odut javiermatos at
Fri Dec 9 16:21:22 CET 2016

On Fri, Dec 9, 2016 at 3:52 PM, Matthew Newton <mcn4 at> wrote:

> On Fri, Dec 09, 2016 at 03:24:35PM +0100, Javier Matos Odut wrote:
> > I have FreeRADIUS running with a sql database in production. I am using
> the
> > sql database to set user's check and reply attributes. The problem I have
> > is that there are some attributes that I need to set them at runtime
> > depending on the NAS identity (or any other FreeRADIUS variable), so I
> have
> > to edit the configuration file and add something like this:
> >
> > if (...) {
> >   update control {
> >     Pool-Name := "%{NAS-Identifier}"
> >   }
> > }
> >
> > Please, ignore the fact that I am updating the Pool-Name attribute. It is
> > just an example but it has sense in my case to let users switch between
> > and IP pools automatically.
> So you want to dynamically set NAS-Identifier here? or Pool-Name?
> > I want to be able to use variables in attributes column (for radcheck,
> > radreply, radgroupcheck, and radgroupreply tables). Then FreeRADIUS will
> > get those values for attributes and expand or evaluate them replacing
> > variable placeholders for concrete values. I don't want to modify the
> > configuration file to store any user's configuration as I am currently
> > doing.
> If you want to set particular attributes for particular users,
> then just add entries for those attributes into the radcheck
> table. You don't need to add the same attributes for all users.
> > I post a request on Github:
> >
> >
> > I was suggested to use SQL xlat expansion %{sql:SELECT ...} but that is
> not
> > useful in my case because I don't want to customize requests.
> I guess I'm not understanding what you want to do well enough.
> Maybe someone else can?
> It sounds like you either want to
> a) dynamically expand what the attribute is being set to for a
> user based on some random SQL values, in which case %{sql:...}
> should work, or
> b) dynamically change which attributes are being set, in which
> case different entries in radcheck should do it.
> ...or... something else?

Thank you so much for your answer Matthew,

My case I think is close to your b) case, and is as follows:

I need to have independent IP pools: one per NAS. For scaling my network
this is the best approach as my ip routes will be quite simple.

I know that I can set the Pool-Name attribute for a user by setting
Pool-Name := "Poolname" in radcheck or in radgroupcheck. The problem with
that approach are

(1) I have to know the NAS the user is connecting to and assign the correct

(2) that Pool-Name attribute is "fixed" and if I move a user from one NAS
to another NAS, then a wrong Pool-Name will be assigned to the user,

I have it working right now doing this in default config:

authorize {


  update control {
    Pool-Name := "%{NAS-Identifier}"

And it works fine. I have many NAS and an IP pool for each. Users will
connect and get a correct IP address based on the IP pool the NAS has

I don't like to have user configuration in FreeRADIUS configuration file,
so if I am able to save Pool-Name := %{NAS-Identifier} in radcheck and then
FreeRADIUS can get and expand that value it will be the same as I am doing
in configuration but without touching FreeRADIUS configuration at all.

> Maybe an example of what you want to put into the database and
> what you want to get out would help.

Let's say I have:

1) a NAS whose NAS-Identifier is "nas01",

2) a user "user01" in database that has an attribute -> Pool-Name :=

Then when user01 tries to connect and nas01 send a request to FreeRADIUS
the attribute Pool-Name will be evaluated to "%{NAS-Identifier}-hello" =>

Obviously, if user01 is moved to a future nas02, then Pool-Name will get
evaluated to "nas02-hello" when user tries to connect.

I hope my example is good to explain what I am trying to do.

> Matthew
> --
> Matthew Newton, Ph.D. <mcn4 at>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> For IT help contact helpdesk extn. 2253, <ithelp at>
> -
> List info/subscribe/unsubscribe? See
> list/users.html

More information about the Freeradius-Users mailing list