Hi, On 07/24/2017 11:35 PM, Arran Cudbard-Bell wrote:
I'm using FreeRADIUS Version 3.0.12.
I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth):
That's an odd one, feel free to open a GitHub issue.
For a quick workaround, you may be able to copy the value of the expansion to a temporary attribute and use that.
i.e.
update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" }
if (LDAP-Group == &Tmp-String-0) { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } }
Let me know if it works. May give some insight as to what's going on.
Thanks for your quick response. Tried it but when I start freeradius: /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: Parse error in condition /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: (LDAP-Group == &Tmp-String-0) { /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: ^ Cannot use attribute reference on right side of condition Errors reading or parsing /etc/freeradius/3.0/radiusd.conf As you suggested I will open a GitHub issue. But are there any other suggestions for a workaround? Unfortunately I really need one. I thought about doing the group check more explicitly. Ist that possible somehow? Thanks Klara