Hi, About two years ago I setup a freeradius server (as well as integration with their accounting system) with a mysql backend. Now, I need to make a change and I'm looking at either rewriting the programs or (hopefully) just making some changes to the configuration/database data.
Basically I added a group to radgroupreply with all the attributes that a normal, authorized user would need. I added the user default to that group and enabled default_user_profile in sql.conf. Additionally, we created a "suspend" group that gave an Access-Reject. Anyone suspended by the accounting program is added to this group. Later, we made a change... suspended accounts were allowed to connect (Access-Accept), but they were given specific Ascend-Data-Filter packets in order to restrict them to one server that allows them to make payments. The default dialin group also has Ascend-Data-Filter packets (to restrict access to port 25 and 119 beyond our network). The problem with this setup is that when a "suspend" user authenticates to the freeradius server, it first grabs both the attributes associated with the 'suspend' group AND the 'dialin' group. This means that we are sending two blocks of Ascend-Data-Filter attributes. With most of the equipment, this didn't cause a problem.. it took the first group and ignored the rest. However, we have recently started using some equipment that is reading both and ends up allowing suspended users' traffic out. So, that is the situation. Basically, without individually putting every current user into the dialin group (which involves a major software re-write), is there a way to define a set of reply packets that every (valid authenticated) user will receive, unless they are in a group. Or, to ask that a different way, people in the group "suspend" should receive only the reply attributes associated with the GroupName "suspend". Everyone else should get a different, default set of attributes (wether defined in radgroupreply or radreply makes no difference to me). Thanks in advance for any help that you can give, John -- YourTech, LLC - http://yourtech.us/ (this account is used for mailing lists) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html