I was bitten by that too. Try changing it to:
if (&Ldap-Group == "WiFi")
I made the change recommended and it still results in certificates being rejected with (6) if (&Ldap-Group == "WiFi") -> FALSE
In addition: since Ldap-Group is multi-valued, and you want to check if *any* of the groups is "WiFi", you may want to write instead
if (&Ldap-Group[*] == "WiFi")
I tried this change as well but certificates were still rejected. (6) if (&Ldap-Group[*] == "WiFi") -> FALSE
There is another way to deal with this, which is to enable one of these settings:
cacheable_name = 'no' cacheable_dn = 'no'
I also tried the cacheable_name = 'no' and tried cacheable_name = 'yes' with certificates being rejected both times. Is using certificates for computers mutually exclusive of being able to use Active Directory username and passwords? Thank you, Travis