It doesn't work. When the user is member of SUSPENDED and has a static IP address, rlm_sqlippool doesn't override the Framed-IP-Address. This is the behavior I expect for all other cases/groups.
I had another problem with this configuration. A user can be member of multiple groups. If he is member of SUSPENDED, I want it to be the only one group evaluated. This can be achieved with "Fall-Though" in users file, but it don't know how to do it with SQL. Finally, I tried to use SQL-Group in users file (see below). I can pull user attributes from database after processing group attributes in users file. Nevertheless, I still have a problem with group SUSPENDED. I need to end all the authorize processing instead of going on next module. Is it possible ? ------ users ------ DEFAULT Pool-Name := "default" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.254, Framed-MTU = 1492, Framed-Compression = Van-Jacobson-TCP-IP, Qos-Policy-Metering = DL128, Qos-Policy-Policing = UL64, Fall-Through = Yes # Group processing DEFAULT SQL-Group == "SUSPENDED", Auth-Type := Accept, \ Pool-Name := "disabled" # If user if disabled, I want to end authorize process now DEFAULT SQL-Group == "DSL500", Pool-Name := "dsl500" Qos-Policy-Metering := DL512, Qos-Policy-Policing := UL128, Fall-Through = Yes # go on with sql and user specific attributes ----- ---- radiusd.conf ---- [...] authorize { files chap sql } [...] ----- > WARNING: Are you sure that you don't want to reject connections from > suspended/non-existatnt users? All they have to do is set a static IP > address from your pool on their end (it's ever so simple to force a > static IP address in Connection Properties) and gain access. I am not able to gain access by adding an IP address in connection properties. Connection is rejected by the BAS when an IP (in the pool or not) is requested. > It will work fine if you set the pool to override the IP address already > set. > > 1. Leave the # Default profile for everyone in the users file > > 2. Make groups SUSPENDED, DSL500 etc. in groupcheck table. You need 2 > entries for group SUSPENDED, and one for others: > > (GroupName, Attribute, op, Value) > SUSPENDED, Auth-Type, :=, Accept > SUSPENDED, Pool-Name, :=, disabled > > DSL500, Pool-Name, :=, dsl500 > > 3. Make groupreply entries: > > (GroupName, Attribute, op, Value) > DSL500, Qos-Policy-Metering, :=, DL512 > DSL500, Qos-Policy-Policing, :=, UL128 > > 4. Create user entries in radcheck table: > > (UserName, Attribute, op, Value) > testuser, Cleartext-Password, :=, test > > 5. Set static IP addresses and routes in radreply table: > > (UserName, Attribute, op, Value) > testuser, Framed-IP-Address, :=, ... > etc. > > 6. Connect users to groups in usergroup table > > If the user is suspended IP address from the "disabled" IP pool will > override the static IP address from the radreply table. Without the > correct IP address route won't work. Thanks -- David Majorel Offratel/Lagoon ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html