Multiple checks items for the same attribute
Hi Forgive me if this topic has been covered before, for all my searching i could not find a solution. I want to be able to check multiple values for the same check attribute (nas ipaddress || nas port). I have tried the :=, += way, but i'm guessing, since it didn't work that this only works for reply attributes. If anyone can point me in a general direction it would most appreciated. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
On Tue, Feb 16, 2010 at 5:24 PM, Sicly undecided
siclyundeci...@gmail.com wrote:
I want to be able to check multiple values for the same check
attribute (nas ipaddress || nas port). I have tried the :=, += way,
but i'm guessing, since it didn't work that this only works for reply
attributes.
If anyone can point me in a general direction it would most appreciated.
So you're saying you want access allowed if one of the multiple check
attribute matches?
There's no quick-and-standard way that I know of to achieve that.
You'll probably be able to hack sql module with custom queries and
schema. For example, I had a requirement where a username will be
allowed access :
- from any Calling-Station-Id (for certain users), OR
- from a list of Calling-Station-Ids, where they comprimise of numbers
only (phone numbers, to be exact) for most users.
Plus I need to enable/disable a user easily, and limit user vailidity
only up to a certain time.
The authorize query became this complicated beast:
authorize_check_query = SELECT
`id`,`UserName`,`Attribute`,`Value`,`op` FROM `${authcheck_table}`
WHERE `UserName` IN ( SELECT `UserName` FROM `${authrestrict_table}`
WHERE `Username` = '%{SQL-User-Name}' AND `Status`='enable' AND
`EXPIRE` now() ) AND `UserName` IN ( SELECT `UserName` FROM
`${authclinumber_table}` WHERE `Username` = '%{SQL-User-Name}' AND
`clinumber` IN ('ANY', convert('%{Calling-Station-Id}', SIGNED)) )
The ${authclinumber_table} that I use to list Calling-Station-Ids goes like this
+---+--+--+-+-++
| Field | Type | Null | Key | Default | Extra |
+---+--+--+-+-++
| id| int(20) unsigned | NO | PRI | NULL| auto_increment |
| UserName | varchar(64) | NO | MUL | ||
| clinumber | varchar(16) | NO | MUL | ANY ||
+---+--+--+-+-++
where there can be many UserName-clinumber pairs for each user and
phone number combination, and a clinumber of ANY if I want to allow
access from any phone number.
While ${authrestrict_table} that I use to control user vailidity goes like this
+--+---+--+-+-++
| Field| Type | Null | Key | Default
| Extra |
+--+---+--+-+-++
| id | int(20) unsigned | NO | PRI | NULL
| auto_increment |
| UserName | varchar(64) | NO | UNI |
||
| Status | enum('enable','disable') | NO | | enable
||
| Expire | datetime | NO | |
-00-00 00:00:00 ||
+--+---+--+-+-++
As you can see it becomes complicated, and again I say this is a hack
(which requires some knowledge of nested SQL query), but should give
you a basic idea of what you need to do.
You could probably also use unlang and sql expansion, but I haven't
had time to look into it for this purpose.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
Sicly undecided wrote: Forgive me if this topic has been covered before, for all my searching i could not find a solution. $ man unlang I want to be able to check multiple values for the same check attribute (nas ipaddress || nas port). I have tried the :=, += way, but i'm guessing, since it didn't work that this only works for reply attributes. In... the users file? SQL? Where? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
In... the users file? SQL? Where? Sorry I forgot to mention... SQL On Tue, Feb 16, 2010 at 1:17 PM, Alan DeKok al...@deployingradius.com wrote: Sicly undecided wrote: Forgive me if this topic has been covered before, for all my searching i could not find a solution. $ man unlang I want to be able to check multiple values for the same check attribute (nas ipaddress || nas port). I have tried the :=, += way, but i'm guessing, since it didn't work that this only works for reply attributes. In... the users file? SQL? Where? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
Thanks Fajar... didn't see your response there at first. Wasn't expecting to find an easy way to do this. That looks like exact what i need. Thank you both again On Tue, Feb 16, 2010 at 2:38 PM, Sicly undecided siclyundeci...@gmail.com wrote: In... the users file? SQL? Where? Sorry I forgot to mention... SQL On Tue, Feb 16, 2010 at 1:17 PM, Alan DeKok al...@deployingradius.com wrote: Sicly undecided wrote: Forgive me if this topic has been covered before, for all my searching i could not find a solution. $ man unlang I want to be able to check multiple values for the same check attribute (nas ipaddress || nas port). I have tried the :=, += way, but i'm guessing, since it didn't work that this only works for reply attributes. In... the users file? SQL? Where? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
