From d748b6020e7bb322ecfd7b9f7f2c891c8f2dbc19 Mon Sep 17 00:00:00 2001
From: josedario87 <jodarioel87@gmail.com>
Date: Fri, 26 Sep 2025 14:53:08 -0600
Subject: [PATCH] logica de aprobacion ejecutandose, no se evalua siempre

---
 freeradius/sites-enabled/default      | 13 ++++++++++++-
 freeradius/sites-enabled/inner-tunnel |  7 +++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/freeradius/sites-enabled/default b/freeradius/sites-enabled/default
index 1680b6b..be95728 100644
--- a/freeradius/sites-enabled/default
+++ b/freeradius/sites-enabled/default
@@ -12,13 +12,21 @@ server default {
     }
 
     authorize {
-        # Si es EAP (WPA-Enterprise), procesar EAP y salir para no interferir
+        # Si es EAP (WPA-Enterprise)
         if (&EAP-Message) {
+            # Si el usuario está deshabilitado según SQL, rechazar antes de llamar a eap
+            if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
+                reject
+            }
             eap
             return
         }
         # Cargar atributos desde SQL (VLAN/bw, etc.)
         sql
+        # Si está deshabilitado en SQL, rechazar
+        if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
+            reject
+        }
         # Laboratorio: aceptar todo en flujos no EAP
         update control {
             Auth-Type := Accept
@@ -28,6 +36,9 @@ server default {
     authenticate {
         # EAP para WPA-Enterprise
         eap
+        Auth-Type Reject {
+            reject
+        }
         # Aceptar todo cuando control:Auth-Type := Accept (no EAP)
         Auth-Type Accept {
             ok
diff --git a/freeradius/sites-enabled/inner-tunnel b/freeradius/sites-enabled/inner-tunnel
index 814c936..70b5523 100644
--- a/freeradius/sites-enabled/inner-tunnel
+++ b/freeradius/sites-enabled/inner-tunnel
@@ -8,6 +8,10 @@ server inner-tunnel {
     authorize {
         # Cargar credenciales/atributos del usuario desde SQL
         sql
+        # Si está deshabilitado en SQL, rechazar antes de EAP
+        if ("%{sql:SELECT COUNT(*) FROM radcheck WHERE username='%{User-Name}' AND attribute='Auth-Type' AND value='Reject'}" != "0") {
+            reject
+        }
         # En caso de que el módulo SQL no haya poblado Cleartext-Password, obténlo vía xlat
         update control {
             Cleartext-Password := "%{sql:SELECT value FROM radcheck WHERE username='%{User-Name}' AND attribute='Cleartext-Password' ORDER BY id DESC LIMIT 1}"
@@ -32,6 +36,9 @@ server inner-tunnel {
         Auth-Type MS-CHAP {
             mschap
         }
+        Auth-Type Reject {
+            reject
+        }
     }
 
     post-auth {