How to deal with device self-registration best?

Nilsson, Cristian (Göteborg) Cristian.Nilsson at
Mon Feb 3 14:18:52 CET 2020


Thank you for reply!

I am however not really sure I completely understand how to bind this new table to also take into consideration accounting.

I have created a new table inside "radius" db:

MariaDB [radius]> describe macauth;
| Field      | Type            | Null | Key | Default           | Extra                       |
| id         | int(6) unsigned | NO   | PRI | NULL              | auto_increment              |
| macaddress | varchar(17)     | NO   |     | NULL              |                             |
| usergroup  | varchar(64)     | NO   |     | NULL              |                             |
| reg_date   | timestamp       | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
4 rows in set (0.00 sec)

I have edited _sites-enabled/default_ "authorize {" section and added:

if ("%{sql:SELECT COUNT(macaddress) FROM macauth WHERE macaddress = '%{User-Name}'}" != 0) {
        update control {
                Auth-Type := "Accept"
else {
        %{sql:INSERT INTO macauth VALUES (0, '%{User-Name}', '5min', NULL)}

Now this does work, the user is allowed and I see an entry made in table macauth for each new device.
I am not sure this is a good or a bad way to accept users thou...

And I am now quite clueless as of how to bind this into accounting also... I need to give users some attributes to handle session timers etc. (they would in this case need to match group "5min").

If you could so kindly give me a direction here also I would much appreciate it!


-----Original Message-----
From: Freeradius-Users < at> On Behalf Of Alan DeKok
Sent: den 29 januari 2020 15:15
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: How to deal with device self-registration best?

On Jan 29, 2020, at 2:26 AM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson at> wrote:
> While your way definitely seems like the best way I don't think we have that option with extreme wing controllers.

  That makes it harder.

> Where would I start looking to modify the access-accept/reject function of freeradius?
> My idea is to do the normal check and if failed just insert into the database.

  Since this is a specialized use-case, I would suggest creating a specialized table in SQL.  There's no need to use the default schema, which is complicated.

  Just create a table of known MACs, and then run SQL queries from unlang:

authorize {

	if ("%{sql:SELECT mac FROM table WHERE mac = '%{User-Name}}" != "") {
		#  Just run an SQL INSERT with some magic unlang so that it runs
		update control {
			Tmp_String-0 := "%{sql:INSERT into table MAC = '%{User-Name}'}"

  You will need to create the table, set the correct permissions, and fix the queries for your SQL server.  But that's the basic idea.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list