SQL Simultaneous usage checks

Alan DeKok aland at deployingradius.com
Wed Jul 21 15:02:46 CEST 2021

On Jul 21, 2021, at 8:03 AM, David Herselman <dhe at syrex.co> wrote:
> Thank you for your feedback. A debug on the legacy FR v1 system is unfortunately not as granular as with FR v3, but it would appear that FR v1 (perhaps incorrectly) didn't replace := values from the SQL radcheck table with ':=' values returned by radgroupcheck.

  Quite possibly.  That version has been EOL for probably 10 years.  In fact, even version 2 has been EOL for many years.

> Reading through https://wiki.freeradius.org/config/Operators bring me hope that I could possibly set the radcheck operator for this attribute as ':=' and then set the radgroupcheck operator as '=', but I'm concerned about the comment in the documentation that this is 'Not allowed as a check item for RADIUS protocol attributes.'
> My understanding of using the '+=' operator is that the resulting value would be 24, is this incorrect?

  That's not correct.  See the documentation for the "+=" operator.

  And yes, you could use ":=" for radcheck, and "=" for radgroupcheck.  That would work, too.

> PS: Thank you for your recommendation on replacing 'User-Password' with 'Cleartext-Password'. This is on the cards, but we have to allow for a transition period where legacy and new FR nodes reference a common database. We are subsequently using unlang to do the following before pap in the authorize section:
>  if (!control:Cleartext-Password && control:User-Password) {
>    update control {
>      Cleartext-Password := "%{control:User-Password}"

  Just do

	Cleartext-Password := &control:User-Password

  There's no need to expand it to a string, and then parse it back as a string.

  Alan DeKok.

More information about the Freeradius-Users mailing list