This is a continuation of my previous article regarding FreeRADIUS with SQlite as storage backend.
I recently came to think that it sometimes would be nice to be able to temporarily disable (or enable) accounts. For example, consider a scenario where you have some friends who does not come and visit you very often. Why keep their accounts activated all the time? Wouldn’t it be convenient (and more secure) just to enable their accounts when they are visiting, and then disable the accounts again?
I might be biased, but I think so! So let’s look at how this is achieved with the SQLite backend.
disabled. Our goal is to deny all members of this group access to the wireless network.
In this way, when we want to disable an accunt, we just add it to the
disabled group. When we want to reenable it, we simply remove the account from the group. Simple!
We start of by adding the group, and ensuring that membership causes access to be denied. This is achieved by setting the
Reject in the check phase.
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES ('disabled', 'Auth-Type', ':=', 'Reject');
INSERT INTO radusergroup (username, groupname, priority) VALUES ('user', 'disabled', 0);
We use a priority of 0 since we want this group to be applied before any other properties.
DELETE FROM radusergroup WHERE username='user' AND groupname='disabled';
You can view the project on Github. There are also some nice screenshots there!