what would cause sql to return reject response?

Bipin Patel bipin at xbipin.com
Mon Feb 11 20:55:49 CET 2019

The part about checking the SQL-group for disabled didn't click to me so 
let me try that, hopefully it should work help me skip calling the php 
script which basically just sets the bandwidth which I don't need to call 
if account is part of disabled group.

Setting auth-type to reject works like daloradius does but the call to php 
script would still run which I'm trying to avoid coz no point setting 
bandwidth from the group with priority 1 when the group with priority 0 
says auth-type reject. Earlier I used to think SQL module would respond 
with reject which clearly doesn't and thanks for the clarification,  coz 
most docs say it has possible response of reject also and I was wondering 
why isn't it responding with that and went on a quest to figure out what 
situation would cause it to respond with that.

Btw the hotspot is mostly ready to use and once I add even more features I 
shall be releasing it as open source if it helps others. Mikrotik router 
based hotspot with FR running on raspberry pi for very small setups but it 
can run on any normal Debian machine too.

On February 11, 2019 9:07:50 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users 
> <freeradius-users at lists.freeradius.org> wrote:
>> basically i have developed a full web gui for mikrotik routers and
>> freeradius to work as a hotspot where the web gui talks to the sql db
>> directly and the user can create plans which would be the radius groups
>> and associated check and reply attributes.
>  Ok...
>> I have created a disable
>> client account option which deactivates the account and what i saw in
>> daloradius was it used to create a disabled group with priority 0 and
>> sets the Auth-Type attribute to Reject, i know the docs mention not the
>> set the auth-type directly but i dont see a way to do it directly in FR
>  That should work.  If it doesn't, read the debug output as suggest in the 
>  "man" page, web pages, and the message you get when joining this list.
>  No amount of randomly changing things will fix it.  You need to understand 
>  what it's doing.
>> so i followed the same method and the reason i was assuming the sql
>> module would reject seeing the auth-type to reject using the reject
>> response but later noticed it would never respond with reject. I
>> searched all docs and the book but no place it mentions under what cases
>> sql module would respond with reject and i wanted to sql module to
>> reject
>  It doesn't.  You want the group to match.
>> so i can reply with "account disabled" and not have the rest of
>> the authorize section to execute coz later down the section i have a
>> call to a php script and im trying to reduce calls to it unless the
>> account is enabled and id/pass match
>  If you want to skip parts of the "authorize" section, you will need to 
>  check for that and write the policy.  Something like:
> authorize {
> ...
> sql
> if (SQL-Group == "disabled") {
>  reject
> }
> ...
> }
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list