[EXTERNAL] Re: How group works in Radius

Winfield, Alister Alister.Winfield at sky.uk
Wed Sep 5 16:44:38 CEST 2018

One thing you might look at is (ab)using the CLASS attribute... if the device you are using is following the standard it’s a handy attribute that should be copied from the accept response into the accounting packets. Might help you avoid extra lookups.

**Sadly having seen too many broken RADIUS implementations on vendors devices no promises that it’s a useful idea.**


On 05/09/2018, 13:16, "Freeradius-Users on behalf of Somanath Mishra" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of somanath.mishra at planetsbrain.com> wrote:

    so i have gone through queries.conf file. So not able to understand how to
    fetch group data after authentication , and not able to find
    authcheck_table, authreply_table and usergroup_table. Can you please
    suggest how will i proceed?

    On Fri, August 31, 2018 6:15 pm, Alan DeKok wrote:

    >> On Aug 31, 2018, at 7:39 AM, Somanath Mishra
    >> <somanath.mishra at planetsbrain.com> wrote:
    >> We are using Freeradius3. So basic authentication,authorization,
    >> accounting is working. We created group in radgroupcheck. On Register
    >> user we are storing username with group in radusergroup. So still we are
    >> not getting groupname in radacct table. So in debug we found radius only
    >> not sending groupname when it is giving input to radacct.
    > No, you found that the accounting packets don't contain the group name.
    >> We need group for users . Can anyone explain me on how it works for
    >> group?
    > Accounting packets are entirely independent from authentication packets.
    > If you want to get the user's group when the server receives the
    > accounting packet, you must do the group lookup again.
    > The server doesn't magically know the user's group when it receives the
    > authentication packet.  It has to look up the group in SQL.  So... the
    > same thing goes for accounting packets.
    > Alan DeKok.
    > -
    > List info/subscribe/unsubscribe? See
    > http://www.freeradius.org/list/users.html

    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing at sky.uk as attachments. Thank you

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

More information about the Freeradius-Users mailing list