On Oct 27, 2017, at 7:49 AM, Евгений Подберезкин <epodber@gmail.com> wrote:
Thanks for the reply. I 've already added the realms to proxy.conf , but adding ntdomain module wasn`t obvious for me (suffix is enabled by default, so I did not care of it).
Yes, that's not obvious.
I have one more question, could you give me hint.
If check LDAP-Group in etc/raddb/users, it works.
DEFAULT chtpzldap-LDAP-Group == "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru"
DEFAULT Auth-Type := Reject Reply-Message = "Group do not match"
But if I need to set an attribute in post-auth, it does not
F.e. in sites-enabled/default or sites-enabled/inner-tunnel
That sets the attribute in the *inner-tunnel*. You still need to get it to the outer, default server. See raddb/mods-available/eap. Look for "use_tunneled_reply".
post-auth {
if (chtpzldap-LDAP-Group == "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") { Tunnel-Private-Group-ID := "165" }
radiusd -X :
(9) # Executing section post-auth from file /opt/freeradius3/etc/raddb/sites-enabled/default (9) post-auth { (9) if (chtpzldap-LDAP-Group == "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") { (9) *if (chtpzldap-LDAP-Group == "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") -> FALSE*
Which means it doesn't match. Find out why, first. See the comments at the top of the "inner-tunnel" virtual server for how to debug it. Alan DeKok.