VLan affect based on ldap attribute freeradius v3

Matthew Newton mcn at freeradius.org
Thu Aug 30 23:12:54 CEST 2018


On Thu, 2018-08-30 at 22:55 +0200, jehan procaccia int wrote:
>  I did that , but still fails with now the error : 
> 
> (30)       if (( &reply:User-Category == "employee") || (&reply:User-
> Category == "faculty") || (&reply:User-Category == "staff" ) ||
> (&reply:User-Category == "researcher") || (&reply:User-Category ==
> "member")) {
> (30)       ERROR: Failed retrieving values required to evaluate
> condition
> (30)       elsif ( (&reply:User-Category == "student" ) ||
> (&reply:User-Category == "affiliate") ) {
> (30)       ERROR: Failed retrieving values required to evaluate
> condition
> (30)       else {
> (30)         update reply {
> (30)           Tunnel-Private-Group-Id := 902

So put

  debug_reply

above that line and see if the attribute has been set there.

> then it is still not clear wether my attribute is named User-Category 
> or UserCategory (without "-") !?

Look in the dictionary. It is "User-Category".

> and what's the difference between reply and &reply ?

&reply says to use the attribute value. In v2 you didn't need to say
that. You should in v3 to save ambiguity.

> /etc/raddb/sites-enabled/../vlanaffect.conf[3]: Unknown attribute
> 'UserCategory'

Because it's User-Category.

> in  mods-available/ldap I have the following mapping
> 
> ldap prod {
>  update {
>  reply:User-Category                     +=
> 'eduPersonPrimaryAffiliation'
> 
> should (can ?) I rename :User-Category to :UserCategory here ? 

No

> > > is there a way to print the value of the an attribute to check
> > > it's
> > > *name* and*value* ?
> > 
> > debug_reply
>  where do you set that ? I  do see in  policy.d/debug

Where you need to find out what the reply list contains. As above.

> I use eduroam with peap mschapv2 (inner-tunnel) , maybe different
> radius packets are involved, it would be in my vlanaffec script that
> I would change reply with session-state ? 

Change all reply:User-Category to session-state:User-Category.

But find out whether it's set or not first.

-- 
Matthew



More information about the Freeradius-Users mailing list