Evaluate Ldap-Group and SSID for WiFi authorization

Adam Cage adamcage27 at gmail.com
Wed Aug 23 19:09:01 CEST 2017 

Dear Alan, i've done what you say and this too:

if (LDAP-Group == "GROUP1" &&  Called-Station-Id =~ /:Free$/)

But I fail again, below is the debug.....

Maybe I have to add a new attribute "Called-Station-Id" for each AD
username ??? Because I've never add it at all in AD and in debug I can
red *Attribute
Called-Station-Id was not found:*

 Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1
Wed Aug 23 14:01:16 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Aug 23 14:01:16 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) ->
TRUE
Wed Aug 23 14:01:16 2017 : Info:     *(Attribute Called-Station-Id was not
found)*
Wed Aug 23 14:01:16 2017 : Info: ? Evaluating (Called-Station-Id =~
/:Free$/) -> FALSE
Wed Aug 23 14:01:16 2017 : Info: ++? if (LDAP-Group == "GROUP1" &&
 Called-Station-Id =~ /:Free$/) -> FALSE
Wed Aug 23 14:01:16 2017 : Info: ++else else {
Wed Aug 23 14:01:16 2017 : Info: +++[reject] = reject
Wed Aug 23 14:01:16 2017 : Info: ++} # else else = reject
Wed Aug 23 14:01:16 2017 : Info: +} # group authorize = reject

Thanks again, regards!!!

2017-08-23 10:59 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Aug 23, 2017, at 9:06 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > People, good morning...I have a Freeradius with AD authentication and
> LDAP
> > authorization working OK.
>
>   That's good.
>
> > Now I have to authorize users that belong to GROUP1 and have SSID =
> Free, I
> > have these definitions:
> >
> > - GROUP1 is a group defined in the AD
> >
> > - SSID comes with Called-Station-Id in the form  MAC Address:SSID, for
> > example "51:bc:11:e1:34:70:Free", and it's not defined i the AD
>
>   That's the standard way it's received, yes.
>
> > - The clause defined in default and inner-tunnel files is:
> >
> > if (LDAP-Group == "GROUP1" &&  Called-Station-Id == "*:Free") {
>
>   No, that won't work.  See "man unlang".  The equality comparison ==
> tests for *equality*.  And the string "51:bc:11:e1:34:70:Free" isn't equal
> to the string ":Free"
>
>   You should use regular expressions instead: See the =~ operator.
>
> > After testing, I fail and this is the debug:
> >
> > Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> > group GROUP1
> > Wed Aug 23 09:34:58 2017 : Debug:   [ldap] ldap_release_conn: Release
> Id: 0
> > Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" )
> ->
> > TRUE
> > Wed Aug 23 09:34:58 2017 : Info:     (Attribute Called-Station-Id was not
> > found)
>
>   That's a different error.
>
>   It means that the Called-Station-ID attribute wasn't found... so you
> can't do matches on it.
>
>   Fix that problem first.   You probably want:
>
>         if (LDAP-Group == "GROUP1" &&  outer:Called-Station-Id =~ /:Free$/
> ) {
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list