On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <al...@deployingradius.com> wrote: > Navodit Bhardwaj wrote: >> For each Access-Request recieved and authenticated successfully I want >> to do following: >> >> 1. Verify if Access-Request contains a parameter i.e IMEI of mobile >> 2. If Not, send Access-Reject. Else, >> 3. compare IMEI to value in database and assign a 32bit hex number in >> Access-Accept > > You should be able to just write this in unlang. Write down which > attributes you have, and what values you're looking for. Then, write > the logic.
Navodit, I just asked a similar question and this is the logic I added to my default site, right after 'preprocess': if (CVPN3000-Tunnel-Group-Name == 'Bookstore') { if (SQL-Group == 'RADIUS:bookstore') { noop } else { reject } } What the above logic "says" is: If the user is requesting to be in the Bookstore VPN group then if they are part of the RADIUS:bookstore group, continue (noop), else reject them. You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore', and remove the second 'if' statement. >> Basically, I am doing a second authentication after initial >> authentication (PAP, CHAP) is successful. > > Don't do that. Do it *before* PAP or CHAP. In the "authorize" section. Alan, I've got a similar question that dovetails into this discussion. Suppose I wanted to reject certain users and wanted the Reply-Message to be customized per user authenticating, but I want to ensure that I am not leaking the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic? Thanks, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html