Thanks Alan for the quick response! The configuration has been corrected. authorize { ... if (specific AP) { update reply { Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users,dc=edu,dc=kkc,dc=imc,dc=com?uid?sub?uid=%u(radiusTunnelPrivateGroupId)} } } It will be an error. Do you understand the cause? Please tell me the solution. Below is my debug output Mon Jul 22 14:07:39 2019 : Debug: radiusd: #### Loading Virtual Servers #### Mon Jul 22 14:07:39 2019 : Debug: server { # from file /etc/raddb/radiusd.conf Mon Jul 22 14:07:39 2019 : Debug: } # server Mon Jul 22 14:07:39 2019 : Debug: server default { # from file /etc/raddb/sites-enabled/default Mon Jul 22 14:07:39 2019 : Debug: authenticate { Mon Jul 22 14:07:39 2019 : Debug: group { Mon Jul 22 14:07:39 2019 : Debug: mschap Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: mschap Mon Jul 22 14:07:39 2019 : Debug: group { Mon Jul 22 14:07:39 2019 : Debug: if (&Realm == "edu.com" || &Realm == "edu.imc.com" || &Realm == "kkc.com") { Mon Jul 22 14:07:39 2019 : Debug: ldap_generalusers Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: elsif (&Realm == "NULL") { Mon Jul 22 14:07:39 2019 : Debug: if (&NAS-IP-Address == 10.254.x.xxx && &Framed-IP-Address =~ /^10\.241(\.[0-9]{1,3}){2}$/) { Mon Jul 22 14:07:39 2019 : Debug: ldap_outside Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: else { Mon Jul 22 14:07:39 2019 : Debug: ldap_allstudent Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: eap Mon Jul 22 14:07:39 2019 : Debug: } # authenticate Mon Jul 22 14:07:39 2019 : Debug: authorize { Mon Jul 22 14:07:39 2019 : Debug: policy rewrite_called_station_id { Mon Jul 22 14:07:39 2019 : Debug: if (&Called-Station-Id && &Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/) { Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: if ("%{8}") { Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &Called-Station-SSID := "%{8}" Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: updated Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: else { Mon Jul 22 14:07:39 2019 : Debug: noop Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: preprocess Mon Jul 22 14:07:39 2019 : Debug: mschap Mon Jul 22 14:07:39 2019 : Debug: digest Mon Jul 22 14:07:39 2019 : Debug: suffix Mon Jul 22 14:07:39 2019 : Debug: eap Mon Jul 22 14:07:39 2019 : Debug: if { Mon Jul 22 14:07:39 2019 : Debug: ldap_allstudents Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &control:Auth-Type := LDAP Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = edu Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = kkc Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = imc Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: expiration Mon Jul 22 14:07:39 2019 : Debug: logintime Mon Jul 22 14:07:39 2019 : Debug: } # authorize Mon Jul 22 14:07:39 2019 : Debug: preacct { Mon Jul 22 14:07:39 2019 : Debug: preprocess ..... Mon Jul 22 14:07:39 2019 : Debug: if (&outer.request:Called-Station-SSID == 'authtest') { Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &control:Auth-Type := LDAP Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: update { Mon Jul 22 14:07:39 2019 : Debug: &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = edu Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = kkc Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = imc Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: updated Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Debug: } Mon Jul 22 14:07:39 2019 : Error: /etc/raddb/sites-enabled/default[463]: Unknown attribute 'dc' Regards n.n -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+nobuatsu.nishimura.dg=ps.hitachi-solutions.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Friday, July 19, 2019 7:57 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: [!]Re: I want to branch an ldap attribute On Jul 18, 2019, at 10:33 PM, 西村暢敦 / NISHIMURA,NOBUATSU <nobuatsu.nishimura.dg@ps.hitachi-solutions.com> wrote:.
I want to get vlanId (radiusTunnelPrivateGroupId) of the user I want to authenticate. Ldap query How should I write?
See LDAP documentation for how to write LDAP queries. Then, paste the query into the FreeRADIUS configuration.
You can do dynamic LDAP queries:
authorize { ... if (specific AP) { update reply { Tunnel-Private-Group-Id := "{ldap:ldap:///ou=Users,dc=edu,dc=com,uid?sub?radiusTunnelPrivateGroupId?}"
That isn't correct. The expansion uses %{...}.
} }
→ Failed parsing expanded string
Post the debug output. There is just *no* reason for failing to do this.
Is there a description method?
There's lots of documentation for both FreeRADIUS and for LDAP.
Can I get vlan registered in ldap with any uid?
That's a question for LDAP, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See https://clicktime.symantec.com/3Jn9zUmALWM37pVmvREZ6F97Vc?u=http%3A%2F%2Fwww...