Authorization

[Dusty Doris]

> Let's say I have 2 groups: students and faculty.
> I want to authorize authenticated members of the LDAP group
> cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~
> "/:StudentWLAN$/"
> I want to authorize authenticated members of the LDAP group
> cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~
> "/:FacultyWLAN$/"


You left out your ldap part?  Anyway it should look something like this.

groupname_attribute = cn
groupmembership_filter = "(&(objectclass=GroupOfNames)(member=%{Ldap-UserDN}))"

Of course you'll have to change that to fit with how your directory is 
structured.  Once you've got that part down, then in the users file you 
could do something like this.

DEFAULT Called-Station-ID =~ "/:StudentWLAN$/", Ldap-Group == "students"

DEFAULT Called-Station-ID =~ "/:FacultyWLAN$/", Ldap-Group == "faculty"

DEFAULT Auth-Type := Reject

That would look to see if Called-Station-ID matches that regex.  If so, it 
would look to see if they are in the Ldap-Group of students.  Your 
groupmembership filter and groupname_attribute should look for a group 
named cn=students and then see if the DN of the user is in it.

If not, it would fall through to the Reject statement.  Now, there are 
other things going on outside of ldap that I don't really know about, so a 
copy/paste of what I wrote might not work.  But, it should help lead you 
in the right direction.

I'd give it a shot running in debug mode (radiusd -X) and then you can see 
the exact queries that are taking place and what is happening.  You can 
then go back and modify those ldap group statements and the users file to 
fit what you need.

Once you've got it started if you need more help, please post debug output 
and what you would expect vs what you got and we can probably help sort it 
out.