Johan Meiring wrote:
On 2010/07/21 11:00 AM, Alan DeKok wrote:
authorize {
...
if (ADSL-Agent-Circuit-Id&& \
("%{sql: select ...}")) {
update control {
Auth-Type := Accept
}
}
else {
reject
}
}
I disagree with the logic slightly.
In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does
not exist.
As fas as I understand, the desireable result is:
If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication
must happen.
If it *does* exist, accept or reject, depending on its value.
Would this not work better?
authorize {
...
if (ADSL-Agent-Circuit-Id) {
if ("%{sql: select ...}") {
update control {
Auth-Type := Accept
}
}
else {
reject
}
}
}
I have been attempting to implement this advice. I can use a 'select
count(*)' sql query and based on wether the value is 1, I can then set
Auth-Type := Accept just like it's written above. But, there's
additional processing that is desireable that I just can't figure out
how to do here. Instead of just blindly setting Accept, I might want to
proceed with having the sql module do group processing and so forth to
finally accumulate all of the reply attributes that apply to this
request. Maybe that reply is 'Auth-Type := Reject" but then others
contain 'Accept' along with framed-ip-address and so forth. This would
involve using a modified sql query in the event that
ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any way
at run time to make that selection.
I am getting the impression that perhaps I need to run maybe a second
server that has it's sql configured with queries tailored for the
presence of this attribute, and then proxy requests from the primary
server to this one in this case. I could probably run it on lookback on
another port so that the radius clients don't have to know anything
about it. Still it's a bit of work but that seems to be the only way
possible to make sql query one database if the attribute is present, and
query another if it's not (or, use different queries).
Would love more insight if anyone cares to share.
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html