I try to set up a FreeRadius where any user can be a member of one or more groups. The groups should check which service the user is using. Access should be granted if one of the groups has a match.
I used the docs at http://wiki.freeradius.org/index.php/Rlm_sql. The 2 groups in this example should check if the request is coming from concentrator A resp. B. If a user is member of both groups access should be granted if he's either using A or B, but only access through A is permitted. If a user is only member of group A or B then everything is fine. As it turns out the check for IP A is a match for the radius server and thus access is denied because the IP in the request is B. But according to the docs "==" should only match if both attribute and value matches. I would expect the first the not to be a match and to try the 2nd test next. When I change the Attribute in the 1st test from NAS-IP-Address to an attribute not in the request the access from IP B is granted. Probably I misunderstood the checking algorithm. Can you give me a hint how to configure this correctly? I tested with FreeRadius 1.1.2 and a pre 1.0. Thanks, -Andreas radcheck: | id | UserName | Attribute | op | Value | +------+-------------------------+-----------------+----+---------+ | 1 | joe | Password | == | blah | radreply: | id | UserName | Attribute | op | Value | +----+-----------------+--------------+----+-------+ | 1 | joe | Fall-Through | = | Yes | usergroup: | id | UserName | GroupName | +----+---------------------------+-----------+ | 1 | joe | My01group | | 2 | joe | My02group | radgroupcheck: | id | GroupName | Attribute | op | Value | +----+------------+----------------+----+-----------------+ | 1 | My01group | NAS-IP-Address | == | 10.11.12.13 | | 2 | My02group | NAS-IP-Address | == | 10.11.12.14 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html