Try the following: Add this to the top of the Authorize section:
authorize { if ADSL-Agent-Circuit-Id { update request { User-Name := "%{ADSL-Agent-Circuit-Id}" User-Password := "%{ADSL-Agent-Circuit-Id}" } } Then, add the Circuit-IDs to radcheck: mysql> select * from radcheck where username = "circuit-123"; +--------+-------------+-----------------------+----+-------------+ | id | username | attribute | op | value | +--------+-------------+-----------------------+----+-------------+ | 226536 | circuit-123 | ADSL-Agent-Circuit-Id | == | circuit-123 | | 226537 | circuit-123 | Cleartext-Password | := | circuit-123 | +--------+-------------+-----------------------+----+-------------+ 2 rows in set (0.00 sec) Then run a test to make sure that when using the Circuit-Id to authenticate the device, the ADSL-Agent-Circuit-Id must be in the request. [r...@sparky performance]# cat circuit-id.rad User-Name = "test" User-Password = "FreeRADIUS" User-Name = "circuit-123" User-Password = "circuit-123" User-Name = "" ADSL-Agent-Circuit-Id ="circuit-123" User-Name = "void" ADSL-Agent-Circuit-Id ="circuit-123" [r...@sparky performance]# [r...@sparky performance]# radclient -f circuit-id.rad localhost auth FreeRADIUS Received response ID 81, code 2, length = 20 Received response ID 165, code 3, length = 20 Received response ID 157, code 2, length = 20 Received response ID 119, code 2, length = 20 [r...@sparky performance]# Tim > -----Original Message----- > From: freeradius-users- > bounces+tim.sylvester=networkradius....@lists.freeradius.org > [mailto:freeradius-users- > bounces+tim.sylvester=networkradius....@lists.freeradius.org] On Behalf > Of Mike > Sent: Wednesday, July 28, 2010 3:37 PM > To: FreeRadius users mailing list > Subject: Re: freeradius and ADSL-Agent-Circuit-Id > > > > Johan Meiring wrote: > > On 2010/07/21 11:00 AM, Alan DeKok wrote: > >> > >> authorize { > >> ... > >> if (ADSL-Agent-Circuit-Id&& \ > >> ("%{sql: select ...}")) { > >> update control { > >> Auth-Type := Accept > >> } > >> > >> } > >> else { > >> reject > >> } > >> > >> } > >> > > > > I disagree with the logic slightly. > > In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does > > not exist. > > > > As fas as I understand, the desireable result is: > > If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication > > must happen. > > If it *does* exist, accept or reject, depending on its value. > > > > Would this not work better? > > > > authorize { > > ... > > if (ADSL-Agent-Circuit-Id) { > > if ("%{sql: select ...}") { > > update control { > > Auth-Type := Accept > > } > > } > > else { > > reject > > } > > } > > } > > > > > > > I have been attempting to implement this advice. I can use a 'select > count(*)' sql query and based on wether the value is 1, I can then set > Auth-Type := Accept just like it's written above. But, there's > additional processing that is desireable that I just can't figure out > how to do here. Instead of just blindly setting Accept, I might want to > proceed with having the sql module do group processing and so forth to > finally accumulate all of the reply attributes that apply to this > request. Maybe that reply is 'Auth-Type := Reject" but then others > contain 'Accept' along with framed-ip-address and so forth. This would > involve using a modified sql query in the event that > ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any > way > at run time to make that selection. > > I am getting the impression that perhaps I need to run maybe a second > server that has it's sql configured with queries tailored for the > presence of this attribute, and then proxy requests from the primary > server to this one in this case. I could probably run it on lookback on > another port so that the radius clients don't have to know anything > about it. Still it's a bit of work but that seems to be the only way > possible to make sql query one database if the attribute is present, > and > query another if it's not (or, use different queries). > > Would love more insight if anyone cares to share. > > Thank you. > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html