that's how i use it with mysql
ciao artur
[EMAIL PROTECTED] wrote:
Hi,
I'm currently configuring a Freeradius 0.9.1 with EAP-TLS support and
Postgresql.
If I put in 'users' file DEFAULT Auth-Type := EAP
Everything works find, but if someone gets a certificate he can logs in.
I want to permit only user using postgresql. What should I put into radcheck, radreply and usergroup table to permit that.
log said that sql module returns ok
but my Auth-Type attribute is not handled, here is some table content:
radius=# select * from radcheck;
id | username | attribute | op | value ----+----------+---------------+----+----------
6 | greg | Auth-Type | := | EAP
(I don't know If I should put Auth-Type here)
radius=# select * from radreply;
id | username | attribute | op | value ----+----------+-----------+----+-------
5 | greg | Auth-Type | := | EAP
(I don't know If I should put Auth-Type here)
raddb/users : DEFAULT Auth-Type := Reject Reply-Message = "high, low"
here is the query I use :
authorize_group_check_query = "SELECT gct.id, gct.GroupName, gct.Attribute, gct.Value, gct.Op FROM ${groupcheck_table} gct, ${usergroup_table} ugt WHERE ugt.Username = '%{SQL-User-Name}' AND ugt.GroupName = gct.GroupName ORDER BY gct.id"
authorize_group_reply_query = "SELECT grt.id, grt.GroupName, grt.Attribute, grt.Value, grt.Op FROM ${groupreply_table} grt, ${usergroup_table} ugt WHERE ugt.Username = '%{SQL-User-Name}' AND ugt.GroupName = grt.GroupName ORDER BY grt.id"
Note: theses are not the default one but they are verified to work ;p and tests were performed with both (default and mine)
That's all, in many tests I've delete the Auth-Type attribute from tables and it didn't change anything, the result was the same, the MATCHED was the one found in the users file.
Really thanks, I'm sure I've missed something but I don't see what ;]
The final purpose of this is to be able to remove access for someone just by updating the good field containing the Auth-Type attribute to REJECT or to put a specific user in a reject group...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
