Access-Accept / Access-Reject based on LDAP Group & SSID

Fri Mar 20 16:05:33 CET 2015

> On 20 Mar 2015, at 10:16, Ben Humpert <ben at an3k.de> wrote:
> 
> 2015-03-20 2:15 GMT+01:00 Matthew Newton <mcn4 at leicester.ac.uk>:
>> 
>> Try the rlm_ldap page: http://wiki.freeradius.org/modules/Rlm_ldap
>> "Group Support".
>> 
>> If you've already followed the part from the mac auth docs about
>> getting Called-Station-SSID, you should be able to do something like
>> 
>>  if (Called-Station-SSID == "guest") {
>>    if (Ldap-Group == "guestgroup") {
>>      noop
>>    }
>>    else {
>>      reject
>>    }
>>  }
>> 
>> or similar, to accomplish what you want.
> 
> Thank you very much for posting that example. I got what I wanted to
> archive working. However, it feels like a very dirty hack. Isn't there
> a better way (maybe in newer versions)?

if (Ldap-Group == Called-Station-SSID) {

}

It's not really clear what you're trying to do...

> 
>> 2.1.12 is ancient and has plenty of bugs and security issues. If
>> you really want to use it, you're probably better off going to
>> Ubuntu for help. Long term "support" should mean that...
>> 
>> Building 2.2.6 on Debian is absolutely trivial.
>> http://wiki.freeradius.org/building/Build#Building-Debian-packages
>> 
>> Having said that, unlang like the above will /probably/ be OK on
>> that version. But noone around here is particularly interested, as
>> you've found out :)
> 
> If I would use 2.2.6 wouldn't I have to use the same configuration as
> I have to use in 2.1.12 or it there are easier and more modular way to
> implement what I want to archive?
> 
> Currently I have to "hardcode" every group into the configuration file
> and everytime I add/remove a group I have to edit the file and restart
> Radius. It's like Radius without LDAP. I thought of something like
> 
> if (%{tolower:%{Ldap-Group}} == %{Called-Station-Ssid}) {
>  noop
> }
> else {
>  reject
> }

In version 3 you can use LDAP group caching, and the multivalue selector.

if (&LDAP-Group[*] == &Called-Station-Id) {

}

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150320/97414814/attachment-0001.sig>