Freeradius3 + SQL -> radusergroup check is not matched

Alan DeKok aland at
Mon May 15 14:40:09 CEST 2017

On May 15, 2017, at 6:18 AM, Martin Bednar <mato.bednar at> wrote:
> basic authentication is working fine, however I have problem with
> groupcheck. What I'm trying to achieve is to limit user per SSID. I
> have created 2 profiles with appropriate reply actions
> MariaDB [radius]> select * from radgroupcheck;
> +----+---------------------------+-------------------+----+----------------------+
> | id | groupname                 | attribute         | op | value
>          |
> +----+---------------------------+-------------------+----+----------------------+
> |  1 | Reject-Profile            | Auth-Type         | := | Reject
>          |
> |  6 | SSID_EMPL-Test     | Aruba-Essid-Name  | == | EMPL-Test            |

  Which says that anyone in the SSID_EMPL-Test is rejected if they use the EMPL-Test  SSID.

  That's probably not what you want.

> Expectation is that Radius will check whether user is connecting to
> the SSID "EMPL-Test" if so it will be accepted otherwise it will go to
> Reject profile and request will be rejected.

  Please read the Wiki for how the SQL module works.  This is documented.

> What I don't really understand is that if I do the test with radclient
> I got Accept:

  The reason is buried in the debug output, and isn't immediately obvious.

> Any idea what could be the problem ?

  Write down what you want the server to do.  Read the SQL module documentation.  Then, configure it to do what you want...

  The simples approach TBH is to just create a custom table, which has columns User-Name and Aruba-Essid-Name.  Populate it with the information on who is allowed to use what SSID.

  Then, do a select:

	if "%{sql:SELECT username from SSID_TABLE where username = %{User-Name} and SSID = %{Aruba-Essid-Name}" == "") {

  i.e. look up the user in the table by name and SSID.  If there's no entry, reject the user.

  The default SQL schema in FreeRADIUS is designed (and documented) to do one thing.  If you want to do something else, it's often best to create a custom table.

  Alan DeKok.

More information about the Freeradius-Users mailing list