Reading the documentation I am still at a loss. I am familiar on how to do this with Cisco ACS, but looking to do it now with free radius. I now have it working if I check the Cisco-avpair under the user in dalo Radius (Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have to keep typing that attribute under every user? I thought the group would work, but from what you are saying it sounds like it wouldnt. I have tried saying if it doesnt match the above regex then the Radgroupreply says ( Auth-Typ := Reject) Thank you for your time. Dan On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Fleming wrote:
Thank you I have read through it makes sense. So how do I do something based on the results?
The SQL document talks about "radreply", which lets you do something with the results.
I would like to only authorize a connection if the users password matches and they are connecting to the correct ssid in the av-pair. Is there a HOWTO or other document outlining how to do
that?
No. Because that's a specific solution. The documents describe how the server works, and lets you put it together yourself.
For your situation, the key is to understand that the server accepts users if their password is correct. If you add more conditional checks, the user is still accepted.
The solution is either to:
a) set the "known good" password ONLY if the conditions also match. The SQL documentation describes how to set conditions
b) if the password is stored somewhere else (e.g. LDAP), then you need to REJECT the user if the conditions match.
Alan DeKok. - List info/subscribe/unsubscribe? See