Freeradius3 + SQL -> radusergroup check is not matched

Martin Bednar mato.bednar at
Mon May 15 20:57:30 CEST 2017

Hello Alan,

again thanks for your time. The goal is simple. When is user
connecting to the wireless network he is asked for username/password
if there is a match and at the same time he is allowed to use this
SSID he is authenticated.

username/password check should happen in radcheck table
SSID check should happen in radusergroup table

>> MariaDB [radius]> select * from radgroupreply where groupname =

>> "SSID_EMPL-Test";
>> +----+----------------+-----------+----+--------+
>> | id | groupname      | attribute | op | value  |
>> +----+----------------+-----------+----+--------+
>> |  6 | SSID_EMPL-Test | Auth-Type | :=  | Accept |
>> +----+----------------+-----------+----+--------+
>> 1 row in set (0.00 sec)

>  i.e. anyone who logs into the  EMPL-Test SSID gets accepted?

You're right - that's not right. In this case even if the
username/password would be wrong user would receive Access Accept. I
believe that normally there is no need for radgroupreply item because
Access Accept/Reject is already set from radcheck.

Would it works like this ?

Check user in radcheck -> is  username/passsword are ok -> Accept
otherwise Reject
Check user in radgroupcheck -> for allowed SSID there would be group
with no reply action -> if no match last group (highest priority)
would be Reject which would be always matched.

Yes solution proposed by you looks straightforward and would probably
work but I have no idea where I should put that condition and I'm
afraid that if I'd go this direction it would bring more questions
than answers.

Thanks for help
"Martin Bednar"

More information about the Freeradius-Users mailing list