Best way to deny users not matching any groups in the SQL DB

Alan DeKok aland at
Fri Feb 19 14:29:46 CET 2016

On Feb 18, 2016, at 10:03 AM, Sylvain Munaut <s.munaut at> wrote:
> I have one group defined per service (so one per wifi SSID, one for
> VPN, ...) that make sure that the correct returns attributes are in
> the response.

  That's good.

> What I'd like is that if either :
> - The user doesn't exist at all in the DB
> - Or the user exists but it didn't match any groups (because the user
> doesn't have access to the particular service he's trying to use).
> Then access should be denied.
> What's the recommended way to achieve that result ?

  Create an SQL table with 2 columns, user and SSID.  Then, write a SELECT statement which looks up user and SSID.  If it returns anything, the user is allowed to use that SSID.  If it returns nothing, the user isn't allowed to use that SSID.

	if (! "%{sql:SELECT user FROM my_table WHERE user=%{User-Name} AND SSID=%{Called-Station-ID}}") {
	# else it's OK

  You'll have to double-check the SQL select statement, of course.  But that's the general idea.

  Alan DeKok.

More information about the Freeradius-Users mailing list