> >>I thought I'd try reposting this under a more descriptive title :)
> >>
> >>Let's say that I have two completely different profiles, but
> they have the
> >>same User-Name.
> >>
> >>(This is not a situation that I would have thought crops up very often,
> >>but I'm reading some Cisco SSG documentation and from what I
> can tell, you
> >>can have regular user profiles, but also user "quota" profiles
> which are
> >>accessed with the same User-Name but which returns different
> attributes in
> >>the Access-Accept)
> >>
> >>Let's say you distinguish between the two different profiles in the
> >>Access-Request by the presence of one attribute, i.e. if a certain
> >>attribute is there, you want one profile; if the attribute isn't there,
> >>you want the other profile. Both profiles are returned via an
> >>Access-Accept.
> This is likely a stupid question, but....how would one do this
> with the sql
> module?
>
> I took a look at the sql.conf file. From what I can tell, you can
> configure
> the SELECT statement that FreeRADIUS uses to obtain the check items for a
> particular user name, but there doesn't seem to be a distinction between
> different "profiles", like we have in the users file. There's
> just one big
> radcheck table that is queried for check items based on whatever
> User-Name
> you like.
If I recall correctly a similar question was asked sometime last week.
One way to accomplish this would be to create two separate SQL connections; sql1 & sql2. sql sql1 { driver = "rlm_sql_mysql" ... } sql sql2 { driver = "rlm_sql_mysql" ... }
<snip>
In radiusd.conf add the appropriate Autz-Type enteries to the 'authorize' section, see 'Autz-Type' in the FreeRADIUS docs.
authorize{ suffix preprocess Autz-Type SQL1{ sql1 } Autz-Type SQL2{ sql2 } files }
Thanks. This is fairly clear.
I suppose I can set up two different tables for the two different types of user profiles. Each sql module looks at a different table. A failed attempt to access the user credentials from the first table (because the check list didn't match) would cause the second sql module to be invoked and hence the second table to be searched.
It just seems to me that this is rather heavy. You're doubling the number of connections to the database, because there are two seperate modules running, each with their own "connection pool" (if that's the right term).
Desmond
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
