Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.


#44 Disabling users, group daloRADIUS-Disabled-Users is ignored


When a user is disabled over the web interface, the user is added to the group "daloRADIUS-Disabled-Users". The idea is to send a RADIUS-Auth-Type reject to the NAS when a user is a member of this group. Now i discovered the following behaviour.

  • When the user is only in the group "daloRADIUS-Disabled-Users", freeradius rejects the connection
  • When the user is in multiple groups with equal priorities, but "daloRADIUS-Disabled-Users" appears first in the database, , freeradius rejects the connection
  • When the user is in multiple groups an just one group has a higher priority than "daloRADIUS-Disabled-Users", freeradius allows connections.

Disabling users take place in the file include/management/userOperations.php (function userDisable):

$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',0) ";

So this group always has standard priority and normally would appear after other groups in the databases when disabling a user.
When i change the line to something like

$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',-999) ";

the priority is very low and will be sorted first by freeradius.

Is this behaviour known? Or is it maybe a bug from freeradius that it doesn´t process the attributes of all groups?

Best regards
Andreas Bruckmeier


  • Anonymous

    This is not bug, this is freeradius feature :) Please, see Fall-Through attribute in freeradius docs.



Cancel   Add attachments