1. Edit "raddb/dictionary" to define a local attribute to store the data
ATTRIBUTE Eduroam-Enabled 3010 string
2. Modify "ldap.attrmap" to copy your LDAP attribute into this local RADIUS attribute:
replyItem Eduroam-Enabled haDirittoEduroam
3. Check the attribute like so in "sites-enabled/inner-tunnel":
authorize { ... ldap if (reply:Eduroam-Enabled != "Y") { reject } ... }
With this reject command in the authorize section is there a method to
supply a custom reply message? An observation I made with the if statement as above, if the attribute is not present on the user object it will evaluate false, thus allowing the user access. Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") Thu Sep 20 14:31:23 2012 : Info: (Attribute reply:RadiusAccess was not found) Thu Sep 20 14:31:23 2012 : Info: ? Evaluating (reply:RadiusAccess != "TRUE") -> FALSE Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") -> FALSE This can prevented by following Phil's suggestion to only search for users with the required attribute filter = "(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(rADIUSEnableDialAccess=*))"
There are probably other ways to do it, including using an "xlat" to lookup the attribute i.e. variation of step 2, or modifying the ldap queries to only "see" those users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>