Variable expansion for SQL attributes

Matthew Newton mcn4 at
Fri Dec 9 18:39:51 CET 2016

On Fri, Dec 09, 2016 at 04:21:22PM +0100, Javier Matos Odut wrote:
> On Fri, Dec 9, 2016 at 3:52 PM, Matthew Newton <mcn4 at> wrote:
> > b) dynamically change which attributes are being set, in which
> > case different entries in radcheck should do it.
> My case I think is close to your b) case, and is as follows:
> I need to have independent IP pools: one per NAS. For scaling my network
> this is the best approach as my ip routes will be quite simple.

OK, so you have different users that can connect to any NAS, and
one pool per NAS?

That should be simple.

> I know that I can set the Pool-Name attribute for a user by setting
> Pool-Name := "Poolname" in radcheck or in radgroupcheck. The problem with
> that approach are
> (1) I have to know the NAS the user is connecting to and assign the correct
> Pool-Name,

Obviously, if the pool in use is defined by the NAS, not the user
that logs in.

> (2) that Pool-Name attribute is "fixed" and if I move a user from one NAS
> to another NAS, then a wrong Pool-Name will be assigned to the user,


> I have it working right now doing this in default config:
> authorize {
>   ...
>   update control {
>     Pool-Name := "%{NAS-Identifier}"
>   }
> }

That looks fine to me (though note NAS-Identifier is sent by the
NAS, so you might want to use some other means if the NASes aren't
under your control).

> And it works fine.


> I have many NAS and an IP pool for each. Users will
> connect and get a correct IP address based on the IP pool the NAS has
> assigned.


> I don't like to have user configuration in FreeRADIUS configuration file,

So you've got a working config... but you don't like having custom
things in your config?

Sorry, I'm not getting it. The config is there so you can
configure it to work in your environment.

Maybe I'm still missing something.

> so if I am able to save Pool-Name := %{NAS-Identifier} in radcheck and then
> FreeRADIUS can get and expand that value it will be the same as I am doing
> in configuration but without touching FreeRADIUS configuration at all.

And include slower SQL lookups when it could be much faster using
three lines of unlang in the config.

> > Maybe an example of what you want to put into the database and
> > what you want to get out would help.
> Let's say I have:
> 1) a NAS whose NAS-Identifier is "nas01",
> 2) a user "user01" in database that has an attribute -> Pool-Name :=
> "%{NAS-Identifier}-hello"
> Then when user01 tries to connect and nas01 send a request to FreeRADIUS
> the attribute Pool-Name will be evaluated to "%{NAS-Identifier}-hello" =>
> "nas01-hello".
> Obviously, if user01 is moved to a future nas02, then Pool-Name will get
> evaluated to "nas02-hello" when user tries to connect.
> I hope my example is good to explain what I am trying to do.

If you really want to slow things down by looking up the
NAS-Identifier in SQL, you could configure a second instance of
sql that uses NAS-Identifier as the sql_user_name, then the
lookups will be based on the NAS rather than the user that is
logging in.

But I really can't see the point at the moment if you've got a
working config as-is, unless there's something more complicated
you're trying to do that's not coming across in your message.

SQL lookups are always going to be slower than an update in
unlang. It might be worthwhile if you had a big switch or
if/elseif type block that you have to keep editing, but for static
config it doesn't make any sense to me.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list