On Wed, Aug 09, 2017 at 12:57:16PM -0300, Alejandro Cabrera Obed wrote:
According to your response, I see I have to configure the /etc/freeradius/modules/ldap file with my AD parameteres (IP, port, user/pass for query, etc).
Yes. And the group settings so it knows how to query groups correctly.
1) Do I have to add a new attribute in the AD for each user, with a SSID field in order to check it through LDAP lookup ?
No, you can add the users to an AD group. Then you check the user is in that group, for a certain condition. So if you add user 'bob' to group 'sales', and configure the group settings in ldap correctly, you can do something like if (Ldap-group == 'sales') { ... } Ldap-group is a "magic" attribute which will trigger an ldap lookup behind the scenes. The mods-enabled/ldap config has the settings to tell the ldap module to look up the User-Name attribute, hence it will look up 'bob' (User-Name) in 'sales' (from the if statement).
2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-one")) {reject}" sentence ?
sites-enabled/default (or sometimes sites-enabled/inner-tunnel, depending on what you're doing), likely in the authorize section, or the post-auth section.
3) What do I have to fill the Ldap-group attribute in my users file, If I want to check SSID attribute and after that compare it with the SSID coming into "Called-id-station"???
I wouldn't do it in your users file. Use unlang in the sites-enabled/ file as described above. The wiki page does give examples of this. -- Matthew