Trying to Authorize Users based on AD Groups and SSIDs

Herwin Weststrate herwin at quarantainenet.nl
Thu Feb 16 14:22:45 CET 2017


On 16-02-17 14:12, Misbah Hussaini wrote:
> Dear Alan,
> 
>> The "if" condition doesn't match.  Why?  Go read the debug output.  Run
> tests on each "if" check.  >*Understand* how the server works.
> 
> I changed the if condition to below but still the if condition is not
> matching, I can confirm from logs that Called-Station-SSID is set to
> SSID02362, what's wrong in the if condition?
> 
>  if (!State) {
>                 if ((Called-Station-SSID == "SSID02362") ) {
>                         reject
>                 }
>         }
> 
> Here is processing of rewrite statement from debug, full debug can be found
> here -> http://pastebin.com/SuS2t9Er

You're changing the Called-Station-SSID in the outer tunnel (line 1848),
then send a tunneled request (line 1911) with only a few attributes. The
check is performed in the inner tunnel, and can't find the
Called-Station-SSID.

Possible solutions:
- Perform the check in the outer tunnel
- Write to/Read from session-state:Called-Station-SSID
- Use outer:request:Called-Station-SSID (or whatever the exact syntax
  was) to use the outer request.

-- 
Herwin Weststrate


More information about the Freeradius-Users mailing list