FreeRadius 3.0.13 - Using SSID to check AD groups

Tue Apr 4 13:47:27 CEST 2017

>
> UNABLE to use "%{Called-Station-SSID}"  (nor %Called-Station-SSID)
>
What do you mean by "unable to use"?

I mean that when i try to "show" the %{Called-Station-SSID} ..... like, in
a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it returns:
## username - ##

That is what I mean.

I will send and radiusd -X output soon...

But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a
"RIGHT" value.... but we do not seem to be able to use it "anywhere".

Pierre de Jong
-.-.-.-.-.-.-.-.-.-.-

2017-04-04 11:24 GMT+02:00 Brian Candler <b.candler at pobox.com>:

> On 04/04/2017 09:30, Pierre de Jong wrote:
>
>> We could see that is was working, in the "radiusd -X" output.
>>
> So please show us the radiusd -X output from an exchange where the problem
> occurs.
>
> We encountered the following problem:
>>
>> UNABLE to use "%{Called-Station-SSID}"  (nor %Called-Station-SSID)
>>
> What do you mean by "unable to use"?
>
> What's important is what attributes are in the incoming request, and which
> attribute identifies the SSID the user is connecting to. This is different
> depending on what AP you are using.
>
>
>> - rewrite_called_station_id   --> has been called in "authorized" that
>> should "instantiate" the Called-Station-SSID
>>
> Only if your AP generates a Called-Station-ID attribute in the format
> expected by that policy function.  Does it? The freeradius -X output would
> show this.
>
>
>> post-auth {
>>                  if (LDAP-Group ="grp-ssid-%{Called-Station-SSID}") {
>>                          update reply {
>>                                  Reply-Message =Hello %{User-Name}: accès
>> permis sur %{Called-Station-SSID} a"
>>                          }
>>
>
> freeradius -X output would show what's happening. Note that the "="
> operator is probably not what you want.  And that the LDAP-Group attribute
> is multi-valued so you want [*] to check for all values, not just the
> first. And also, dependent on how you've configured your LDAP lookup, the
> LDAP-Group attribtue is a "magic" attribute which may return empty string
> unless you explicitly use the "&" prefix.
>
> So I'd suggest writing it like this:
>
> if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") {
>   ...
> }
>
> HTH,
>
> Brian.
>