This is a continuation of my previous article regarding FreeRADIUS with SQlite as storage backend.

I recently came to think that it sometimes would be nice to be able to temporarily disable (or enable) accounts. For example, consider a scenario where you have some friends who does not come and visit you very often. Why keep their accounts activated all the time? Wouldn’t it be convenient (and more secure) just to enable their accounts when they are visiting, and then disable the accounts again?

I might be biased, but I think so! So let’s look at how this is achieved with the SQLite backend.

Modifying the database

The disabling of the accounts will be achieved by having a group named disabled. Our goal is to deny all members of this group access to the wireless network.

In this way, when we want to disable an accunt, we just add it to the disabled group. When we want to reenable it, we simply remove the account from the group. Simple!

We start of by adding the group, and ensuring that membership causes access to be denied. This is achieved by setting the Auth-Type to Reject in the check phase.

INSERT INTO radgroupcheck (groupname, attribute, op, value)
    VALUES ('disabled', 'Auth-Type', ':=', 'Reject');

Disable an account

To disable an account, we add it to the disabled group. 
INSERT INTO radusergroup (username, groupname, priority) VALUES ('user', 'disabled', 0);

We use a priority of 0 since we want this group to be applied before any other properties.

Enable an account

Just remove the user from the group. 
DELETE FROM radusergroup WHERE username='user' AND groupname='disabled';

Helper application

Having a SQLite backend as described is clearly nice, however, it is somewhat cumbersome to manually handle the SQLite database. I have therefore developed a neat helper script which makes it fairly easy to add new users, auto-generate random passwords, delete accounts, etc.

You can view the project on Github. There are also some nice screenshots there!