Can we re-order the authorization queries in the SQL module?

Nick Porter nick at
Thu Nov 23 08:51:01 UTC 2023

On 23/11/2023 02:40, James Fan wrote:
> Hi Alan and Gerald,
> Thanks for your answer.
> My problem was if I set a user attribute name "vlan_id" which is stored in
> the radreply table and the radgroupreply table. But they have different
> values.
> The client will receive the value for the "vlan_id" in the radgroupreply.
> But we want to make the radreply attributes a higher priority to overwrite
> the radgroupreply values for the same attribute.
> After studying the SQL module, I found a solution that uses
> multiple instances to separate the queries like below:
> sql sql-group {
>    # Do group reply queries
> }
> sql sql-user-reply {
>    # Do user reply queries
> }
> So we can run these modules using this order:
> sql-group-reply.authorize
> sql-user-reply.authorize
> That makes the user attributes overwrite the group attributes and resolves
> our problem.
> I wonder if that is the best solution or if you have any good ideas. Thanks.
That is an over complicated solution.

As per Alan's previous comments, correct use of the operators in the 
data will do what you need.

Use := when setting VLAN attributes in radreply and use = when setting 
in radgroupreply.

:= - set the attribute, removing any other instances.

= - set the attribute, only if no existing instance exists.


Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list