#44 Disabling users, group daloRADIUS-Disabled-Users is ignored

[Andreas Bruckmeier]

When a user is disabled over the web interface, the user is added to the group "daloRADIUS-Disabled-Users". The idea is to send a RADIUS-Auth-Type reject to the NAS when a user is a member of this group. Now i discovered the following behaviour.

• When the user is only in the group "daloRADIUS-Disabled-Users", freeradius rejects the connection
• When the user is in multiple groups with equal priorities, but "daloRADIUS-Disabled-Users" appears first in the database, , freeradius rejects the connection
• When the user is in multiple groups an just one group has a higher priority than "daloRADIUS-Disabled-Users", freeradius allows connections.

Disabling users take place in the file include/management/userOperations.php (function userDisable):

...
$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',0) ";
...

So this group always has standard priority and normally would appear after other groups in the databases when disabling a user.
When i change the line to something like

$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',-999) ";

the priority is very low and will be sorted first by freeradius.

Is this behaviour known? Or is it maybe a bug from freeradius that it doesn´t process the attributes of all groups?

Best regards
Andreas Bruckmeier

[Anonymous]

This is not bug, this is freeradius feature :) Please, see Fall-Through attribute in freeradius docs.