On 24/10/2016 22:07, tj2718@aol.com wrote:
It looks like while I have the LDAP check enabled the computers using certificates get rejected because they are not found by the LDAP search/filter.
(5) if (Ldap-Group == "WiFi") -> FALSE
I was bitten by that too. Try changing it to: if (&Ldap-Group == "WiFi") Reason: Ldap-Group is a "magic" attribute. Rather than actually being stored on an AV list, a comparison operator which references this attribute triggers some code which performs the actual LDAP lookup(s). However, whereas in most places in FreeRADIUS the & is optional, here it's not. If you miss it, it silently fails; perhaps it is looking on the "real" AV list instead. In addition: since Ldap-Group is multi-valued, and you want to check if *any* of the groups is "WiFi", you may want to write instead if (&Ldap-Group[*] == "WiFi") If this were a normal attribute, missing the [*] would mean you only check against the first value of a multi-valued attribute. With a "magic" attribute I don't know if it's necessary, but it doesn't harm to have it. There is another way to deal with this, which is to enable one of these settings: cacheable_name = 'no' cacheable_dn = 'no' They cause the LDAP group query to be performed up-front and the results stored as real AV pairs (either the group names or the group DNs respectively). Then you can use them just like any normal attribute, e.g. in string expansions, and the '&' is optional again. Regards, Brian.