%{SQL-User-Name} parsing in authorize section - bug?

Mon Oct 30 14:05:55 UTC 2023

Hi list,

Have i found a bug or i have made a mistake in configuring freeradius, 
version 3.2.3 from networkradius ubuntu repo...

When i put this into authorize section:

authorize {

...

             # MAC LIMIT
             update control {
                 Tmp-Integer-3 := "%{sql: SELECT count(*) FROM radcheck 
WHERE Username = '%{SQL-User-Name}' and 
(mac_limit='%{Calling-Station-Id}' or mac_limit='*');}"
             }

...

}

it doesn't work, SQL-User-Name is empty:

(0)       update control {
(0)         EXPAND %{User-Name}
(0)            --> testuser
(0)         SQL-User-Name set to 'testuser'
rlm_sql (sql): Reserved connection (2)
(0)         Executing select query:  SELECT count(*) FROM radcheck WHERE 
Username = '' and (mac_limit='' or mac_limit='*');
rlm_sql (sql): Released connection (2)
(0)         EXPAND %{sql: SELECT count(*) FROM radcheck WHERE Username = 
'%{SQL-User-Name}' and (mac_limit='%{Calling-Station-Id}' or 
mac_limit='*');}
(0)            --> 0
(0)         Tmp-Integer-3 := 0
(0)       } # update control = noop

If User-Name is used instead of SQL-User-Name it works:

authorize {

...

             # MAC LIMIT
             update control {
                 Tmp-Integer-3 := "%{sql: SELECT count(*) FROM radcheck 
WHERE Username = '%{User-Name}' and (mac_limit='%{Calling-Station-Id}' 
or mac_limit='*');}"
             }

...

}

(0)       update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(0)         EXPAND %{User-Name}
(0)            --> testuser
(0)         SQL-User-Name set to 'testuser'
rlm_sql (sql): Reserved connection (3)
(0)         Executing select query:  SELECT count(*) FROM radcheck WHERE 
Username = 'testuser' and (mac_limit='' or mac_limit='*');
rlm_sql (sql): Released connection (3)
(0)         EXPAND %{sql: SELECT count(*) FROM radcheck WHERE Username = 
'%{User-Name}' and (mac_limit='%{Calling-Station-Id}' or mac_limit='*');}
(0)            --> 1
(0)         Tmp-Integer-3 := 1
(0)       } # update control = noop

It looks like SQL-User-Name population is done after authorize is 
processed, i am not sure. Everywhere else i am able to use 
SQL-User-Name, including queris.conf. But, not in authorize.

Please correct me if i am wrong. I would appreciate any help. If it's my 
error than even better. It's not so big problem, but it's annoying.

Same setup works in 2.1 but not in 3.0 and 3.2

Thank you,

Igor Smitran