Evaluate Ldap-Group and SSID for WiFi authorization

Alan DeKok aland at deployingradius.com
Wed Aug 23 15:59:43 CEST 2017


On Aug 23, 2017, at 9:06 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> 
> People, good morning...I have a Freeradius with AD authentication and LDAP
> authorization working OK.

  That's good.

> Now I have to authorize users that belong to GROUP1 and have SSID = Free, I
> have these definitions:
> 
> - GROUP1 is a group defined in the AD
> 
> - SSID comes with Called-Station-Id in the form  MAC Address:SSID, for
> example "51:bc:11:e1:34:70:Free", and it's not defined i the AD

  That's the standard way it's received, yes.

> - The clause defined in default and inner-tunnel files is:
> 
> if (LDAP-Group == "GROUP1" &&  Called-Station-Id == "*:Free") {

  No, that won't work.  See "man unlang".  The equality comparison == tests for *equality*.  And the string "51:bc:11:e1:34:70:Free" isn't equal to the string ":Free"

  You should use regular expressions instead: See the =~ operator.

> After testing, I fail and this is the debug:
> 
> Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> group GROUP1
> Wed Aug 23 09:34:58 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) ->
> TRUE
> Wed Aug 23 09:34:58 2017 : Info:     (Attribute Called-Station-Id was not
> found)

  That's a different error.

  It means that the Called-Station-ID attribute wasn't found... so you can't do matches on it.

  Fix that problem first.   You probably want:

	if (LDAP-Group == "GROUP1" &&  outer:Called-Station-Id =~ /:Free$/ ) {
	
  Alan DeKok.




More information about the Freeradius-Users mailing list