'MySQL: Checking Attributes for multiple values'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    MySQL: Checking Attributes for multiple values
From:       Andreas Liebe <liebe () hrz ! tu-darmstadt ! de>
Date:       2006-07-30 9:00:21
Message-ID: 1154250022.9466.34.camel () darkstar
[Download RAW message or body]

I try to set up a FreeRadius where any user can be a member of one or
more groups. The groups should check which service the user is using.
Access should be granted if one of the groups has a match.

I used the docs at http://wiki.freeradius.org/index.php/Rlm_sql.

The 2 groups in this example should check if the request is coming from
concentrator A resp. B. If a user is member of both groups access should
be granted if he's either using A or B, but only access through A is
permitted. If a user is only member of group A or B then everything is
fine.

As it turns out the check for IP A is a match for the radius server and
thus access is denied because the IP in the request is B. But according
to the docs "==" should only match if both attribute and value matches.
I would expect the first the not to be a match and to try the 2nd test
next.

When I change the Attribute in the 1st test from NAS-IP-Address to an
attribute not in the request the access from IP B is granted.

Probably I misunderstood the checking algorithm. Can you give me a hint
how to configure this correctly?

I tested with FreeRadius 1.1.2 and a pre 1.0.

Thanks,

 -Andreas

radcheck:
| id   | UserName                | Attribute       | op | Value   |
+------+-------------------------+-----------------+----+---------+
|    1 | joe                     | Password        | == | blah    |

radreply:
| id | UserName        | Attribute    | op | Value |
+----+-----------------+--------------+----+-------+
|  1 | joe             | Fall-Through | =  | Yes   |

usergroup:
| id | UserName                  | GroupName |
+----+---------------------------+-----------+
|  1 | joe                       | My01group |
|  2 | joe                       | My02group |

radgroupcheck:
| id | GroupName  | Attribute      | op | Value           |
+----+------------+----------------+----+-----------------+
|  1 | My01group  | NAS-IP-Address | == | 10.11.12.13     |
|  2 | My02group  | NAS-IP-Address | == | 10.11.12.14     |



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic