Dynamic User Help

Alan DeKok aland at deployingradius.com
Tue Feb 23 21:36:40 CET 2016

On Feb 23, 2016, at 3:32 PM, J Kephart <jkephart at safetynetaccess.com> wrote:
> OK, so we're finally at the point at which we're attempting to integrate
> this into our configuration.  The intent, per Alan's guidance, is to
> insert the following statements at the top of the authorize section:
> if ("%{Called-Station-Id}" =~ "^<some-mac-prefix>") {
>    User-Group-Name = "%{sql: SELECT group_name from <table_name> where \
>         site_id='%{NAS-Identifier}' and
> mac_address='%{Calling-Station-Id}' \
>         and vlan_id='%{NAS-Port-Id}'}"

  User-Group-Name needs to be in an "update" section.  See "man unlang".

	update request {
		User-Group-Name = "%{sql: ...

>    if ("%{User-Group-Name}" != "" {

  That can be simplified to:

	if (&User-Group-Name != "") {

>             %{sql: update radusergroup set groupname='%{User-Group-Name}' \
>             where username='%{Calling-Station-Id}'";

  You can't just put SQL statements into a block.  You need an "update" section.  See again "man unlang".  e.g.:

	update request {
		Tmp-String-0 := "%{sql:UPDATE ...}"

> If we find a match on the group_name in the first query, we would update
> the radusergroup entry for the given MAC address and then simply fall
> through to allow normal processing to continue.

  You'll have to ensure that the RADIUS server is allowed to edit the radusergroup table.  IIRC, the default permissions don't allow this.

  Alan DeKok.

More information about the Freeradius-Users mailing list