Reject certificate in use

[Rodrigo Prieto]

Hello, I was trying what you told me and it worked. Use the following
configuration:

/etc/freeradius/sites-avaibles/default

post-auth {
    if (TLS-Client-Cert-Common-Name && Calling-Station-Id) {
        if ("%{sql:SELECT COUNT(*) FROM radius_clients WHERE
cn='%{TLS-Client-Cert-Common-Name}'}" == "0") {
            update control {
                Tmp-String-0 := "%{sql:INSERT INTO radius_clients (cn,
calling_station_id) VALUES ('%{TLS-Client-Cert-Common-Name}',
'%{Calling-Station-Id}')}"
            }
        } else {
          if ("%{sql:SELECT calling_station_id FROM radius_clients WHERE
cn='%{TLS-Client-Cert-Common-Name}'}" != "%{Calling-Station-Id}") {
                reject
            }
        }
....
}

/etc/freeradius/mods-available/sql

sql {

   dialect = "mysql"
   driver = "rlm_sql_${dialect}"
    server = "localhost"
    login = "usuario_db"
    password = ""
    radius_db = "radius"
    }

Several warnings appear that are not found in the SQL module because I only
use it to connect to the server only.
Below is an example but there are several warnings.

(5) sql: WARNING: Cannot do check groups when group_membership_query is not
set

Other warnings I notice are the following:

rlm_sql (sql): Opening additional connection (0), 1 of 10 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future
version.
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 8.0.39-0ubuntu0.24.04.2, protocol version 10

I was reading that mysql is not going to allow that form of reconnection.
Is there any configuration I can do for that warning or does freeradius
have to change something in its code?

Thank you for giving me your knowledge. I learn a lot.

El lun, 11 nov 2024 a las 18:05, Alan DeKok (<aland at deployingradius.com>)
escribió:

> On Nov 11, 2024, at 3:57 PM, Rodrigo Prieto <rodrigoprieto2019 at gmail.com>
> wrote:
> >
> > Thanks for responding again. I know that it is not easy to configure any
> > server in Linux. What I did was create a database and import schema.sql.
> > mysql -u radius -p radius <
> > /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql When the client
> > connects, it writes to the postauth table but when disconnecting and
> > reconnecting, an error is output from the radcheck table. I'm stuck at
> that
> > point. Maybe I have to create my own schema as you told me and stop using
> > the freeradius schema? Thanks for the patience.
>
>   Yes, you have to create your own schema, that's what I said in my last
> message.
>
>   The default schema in FreeRADIUS does something quite different, and is
> *documented* as doing something else.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>