why is Called-Station-SSID not processed?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, I configured FR v.3.0.9 against LDAP and can successfully auth with EAPMD5/TLS/TTLS+PAP now I want to add check for Called-Station-SSID and am failing ... please, help me to understand what I miss? as you can see from debug bellow, configured in LDAP Called-Station-SSID (via radiusCheckItem as well as via mapped attribute) is ignored, and client is granted access I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED' then check will be performed against Called-Station-SSID value processed - From Called-Station-Id what is wrong? here is debug: - ----[ quotation start ]------------------------------------------- (6) Received Access-Request Id 16 from 192.168.0.1:46326 to 192.168.0.254:1812 length 314 (6) User-Name = "jdoe" (6) NAS-Identifier = "jdoe.wrt" (6) Called-Station-Id = "9A-46-5E-3B-A1-0E:SSID_REQUESTED" (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Port = 1 (6) Calling-Station-Id = "73-62-0A-DA-7C-5A" (6) Connect-Info = "CONNECT 54Mbps 802.11g" (6) Acct-Session-Id = "55BE1E6B-0000001C" (6) Framed-MTU = 1400 (6) EAP-Message = 0x0223008015001703010020b9f3cc80bf61ea3ab2b9ad0e3d5492f814652d30a19f2a0d562832d6db02468f1703010050e426680ec3a1a7db12904734432af8744492e725b6689affce7e093ed666bc0c3338fb8d3fd12d2eaca8b304c373e8e1d42f14db0683b1f4de08004 67ff2d302e44d864249a30d (6) State = 0x1df02c2d18d339202ca9dbdadeae133a (6) Message-Authenticator = 0x7e5712cf45d3b99b42e4b80452950d1a (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 73-62-0A-DA-7C-5A (6) &Calling-Station-Id := 73-62-0A-DA-7C-5A (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (6) ... skipping else for request 6: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/radacct/192.168.0.1/auth-detail-20150803 (6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.1/auth-detail-20150803 (6) auth_log: EXPAND %t (6) auth_log: --> Mon Aug 3 23:46:13 2015 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL (6) ntdomain: No such realm "NULL" (6) [ntdomain] = noop (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 9A-46-5E-3B-A1-0E (6) &Called-Station-Id := 9A-46-5E-3B-A1-0E (6) } # update request = noop (6) if ("%{8}") { (6) --> SSID_REQUESTED (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> SSID_REQUESTED (6) &Called-Station-SSID := SSID_REQUESTED (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else for request 6: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) eap: Peer sent EAP Response (code 2) ID 35 length 128 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x1df02c2d18d33920 (6) eap: Finished EAP session with state 0x1df02c2d18d33920 (6) eap: Previous EAP request found for state 0x1df02c2d18d33920, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Done initial handshake (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "jdoe" (6) eap_ttls: User-Password = "jdoe" (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "jdoe" (6) User-Password = "jdoe" (6) server inner-tunnel { (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL (6) ntdomain: No such realm "NULL" (6) [ntdomain] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}:-%{Calling-Station-Id}} (6) files: --> jdoe (6) [files] = noop rlm_ldap (ldap): Reserved connection (2) (6) ldap: EXPAND (|(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=%{User-Name})(authorizedService=802.1x-eap-tls@xyz))) (6) ldap: --> (|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz))) (6) ldap: Performing search in "ou=People,dc=xyz" with filter "(|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=jdoe,authorizedService=802.1x-eap-tls@xyz,uid=jdoe,ou=People,dc=xyz" (6) ldap: Performing search in "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" with filter "(objectclass=radiusprofile)", scope "base" (6) ldap: Waiting for search result... (6) ldap: Processing profile attributes (6) ldap: control:Called-Station-SSID := 'SSID_ALLOWED' (6) ldap: reply:Session-Timeout := 900 (6) ldap: reply:Reply-Message := 'You have entered SSID: SSID_ALLOWED.' (6) ldap: reply:Tunnel-Type := VLAN (6) ldap: reply:Tunnel-Medium-Type := IEEE-802 (6) ldap: reply:Tunnel-Private-Group-Id := '3481' (6) ldap: Processing user attributes (6) ldap: control:Cleartext-Password := 'jdoe' (6) ldap: control:Password-With-Header += 'jdoe' rlm_ldap (ldap): Released connection (2) (6) [ldap] = updated (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (6) [pap] = updated (6) } # authorize = updated (6) Found Auth-Type = PAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) Auth-Type PAP { (6) pap: Login attempt with password (6) pap: Comparing with "known good" Cleartext-Password (6) pap: User authenticated successfully (6) [pap] = ok (6) } # Auth-Type PAP = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) Login OK: [jdoe] (from client office021.xyz port 0 via TLS tunnel) (6) } # server inner-tunnel (6) Virtual server sending reply (6) Session-Timeout := 900 (6) Reply-Message := "You have entered SSID: SSID_ALLOWED." (6) Tunnel-Type := VLAN (6) Tunnel-Medium-Type := IEEE-802 (6) Tunnel-Private-Group-Id := "3481" (6) eap_ttls: Got tunneled Access-Accept (6) eap_ttls: No information to cache: session caching will be disabled for session e5b5fc820be72baebe838286f4df80848a5bfadd06493077391aec818504665c (6) eap: Sending EAP Success (code 3) ID 35 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (6) post-auth { (6) update { (6) No attributes updated (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # post-auth = noop (6) Login OK: [jdoe] (from client office021.xyz port 1 cli 73-62-0A-DA-7C-5A) (6) Sent Access-Accept Id 16 from 192.168.0.254:1812 to 192.168.0.1:46326 length 0 (6) MS-MPPE-Recv-Key = 0x27eec264980471ed15d7d03785d - ----[ quotation end ]------------------------------------------- - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXAqooACgkQr3jpPg/3oypphACg/KT1YUFx9s3c7ay0iX6TYhUe rt8AoOAQNtaSkKj6Kna7EzjHJEl7sKSt =jM5p -----END PGP SIGNATURE-----
On Aug 4, 2015, at 2:05 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
See the wiki for the meaning of the operators. ":=" is an assignment operator. It doesn't do comparisons. And just doing a comparison is not enough, either. What do you want it to *do* when the comparison matches? You have to write that down, too. Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
On Aug 4, 2015, at 2:05 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
See the wiki for the meaning of the operators. ":=" is an assignment operator. It doesn't do comparisons.
yes, understood ... it has to be `=='
And just doing a comparison is not enough, either. What do you want it to *do* when the comparison matches?
I want it to be part of the condition for access allowing if Called-Station-SSID configured in LDAP matches the one processed from Called-Station-Id, then access is to be allowed, otherwise not
You have to write that down, too.
what is the right place to do that? It was working for me when I did it in v.2.x users file this way: ---[ quotation start ]------------------------------------------- DEFAULT Ldap-Group == "wifi-xyz", Called-Station-SSID == "SSID_ALLOWED", User-Profile := "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" Reply-Message := "%{User-Name}, SSID: %{Called-Station-SSID} access was permited to you.", Fall-Through = no ---[ quotation end ]------------------------------------------- but how to do that now via LDAP? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
On Aug 4, 2015, at 8:15 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
Alan DeKok <aland@deployingradius.com> wrote:
On Aug 4, 2015, at 2:05 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
See the wiki for the meaning of the operators. ":=" is an assignment operator. It doesn't do comparisons.
yes, understood ... it has to be `=='
And just doing a comparison is not enough, either. What do you want it to *do* when the comparison matches?
I want it to be part of the condition for access allowing
if Called-Station-SSID configured in LDAP matches the one processed from Called-Station-Id, then access is to be allowed, otherwise not
So... set it to reject the user if the Calling-Station-Id doesn't match.
You have to write that down, too.
what is the right place to do that?
It was working for me when I did it in v.2.x users file this way:
---[ quotation start ]------------------------------------------- DEFAULT Ldap-Group == "wifi-xyz", Called-Station-SSID == "SSID_ALLOWED", User-Profile := "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" Reply-Message := "%{User-Name}, SSID: %{Called-Station-SSID} access was permited to you.", Fall-Through = no ---[ quotation end ]-------------------------------------------
but how to do that now via LDAP?
I'm not sure. You can use that exact configuration in v3, so why not try that? Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
And just doing a comparison is not enough, either. What do you want it to *do* when the comparison matches?
I want it to be part of the condition for access allowing
if Called-Station-SSID configured in LDAP matches the one processed from Called-Station-Id, then access is to be allowed, otherwise not
So... set it to reject the user if the Calling-Station-Id doesn't match.
does it mean to hardcode all my access points data ... because MAC addresses differ but SSID part is the same
---[ quotation start ]------------------------------------------- DEFAULT Ldap-Group == "wifi-xyz", Called-Station-SSID == "SSID_ALLOWED", User-Profile := "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" Reply-Message := "%{User-Name}, SSID: %{Called-Station-SSID} access was permited to you.", Fall-Through = no ---[ quotation end ]-------------------------------------------
but how to do that now via LDAP?
I'm not sure. You can use that exact configuration in v3, so why not try that?
yes, I believe it'll work too ... but why use data in file when I configured almost all I need in LDAP? Isn't it be more flexible to hold that data in LDAP? I just do not know how to say FR to use LDAP attribute radiusCheckItem value "Called-Station-SSID == SSID_ALLOWED" to check it against processed one from Called-Station-Id ... can it be done, indeed, please? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
hello, before check if you want get data from ldap you can just launch ldap module: preprocess rewrite_called_station_id ldap if(Called-Station-SSID=="%{request:Station-SSID}") { ok } else { reject } On 08/06/2015 12:35 AM, Zeus Panchenko wrote:
Alan DeKok <aland@deployingradius.com> wrote:
And just doing a comparison is not enough, either. What do you want it to *do* when the comparison matches?
I want it to be part of the condition for access allowing
if Called-Station-SSID configured in LDAP matches the one processed from Called-Station-Id, then access is to be allowed, otherwise not
So... set it to reject the user if the Calling-Station-Id doesn't match.
does it mean to hardcode all my access points data ... because MAC addresses differ but SSID part is the same
---[ quotation start ]------------------------------------------- DEFAULT Ldap-Group == "wifi-xyz", Called-Station-SSID == "SSID_ALLOWED", User-Profile := "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" Reply-Message := "%{User-Name}, SSID: %{Called-Station-SSID} access was permited to you.", Fall-Through = no ---[ quotation end ]-------------------------------------------
but how to do that now via LDAP?
I'm not sure. You can use that exact configuration in v3, so why not try that?
yes, I believe it'll work too ... but why use data in file when I configured almost all I need in LDAP? Isn't it be more flexible to hold that data in LDAP?
I just do not know how to say FR to use LDAP attribute radiusCheckItem value "Called-Station-SSID == SSID_ALLOWED" to check it against processed one from Called-Station-Id ... can it be done, indeed, please?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
does it mean to hardcode all my access points data ... because MAC addresses differ but SSID part is the same
no...carry on as you are, selecting the SSID part of your CSI attribute....but just call ldap with the if(){} stuff as explained
yes, I believe it'll work too ... but why use data in file when I configured almost all I need in LDAP? Isn't it be more flexible to hold that data in LDAP?
yep alan
A.L.M.Buxey@lboro.ac.uk wrote:
does it mean to hardcode all my access points data ... because MAC addresses differ but SSID part is the same
no...carry on as you are, selecting the SSID part of your CSI attribute....but just call ldap with the if(){} stuff as explained
it works if I map Called-Station-SSID to something (I managed it to map to telephoneNumber in *user* LDAP object) while trying to achieve that via LDAP group usage, I found it is not checked until it is configured in users file as I described before ... but it looks odd to write by hands each situation in users file when all other data is in LDAP ... so, what is the correct way to configure LDAP group checking? in debug I can not see any attempt to check it and in general ... what is the LDAP equivalent to users file configuration? like: DEFAULT Ldap-Group == "wifi-abc", Called-Station-SSID == "ABC", User-Profile := "cn=wifi-abc,ou=rad-profiles,dc=xyz" -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
On Aug 8, 2015, at 10:48 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
and in general ... what is the LDAP equivalent to users file configuration?
There is no LDAP equivalent to the "users" file configuration. If there was, it would be documented. The SQL module has configuration similar to the "users" file. And it is documented as doing exactly that. Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
On Aug 8, 2015, at 10:48 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
and in general ... what is the LDAP equivalent to users file configuration?
There is no LDAP equivalent to the "users" file configuration. If there was, it would be documented.
ok, finally I have checked my v.2.x "users" file configuration against v.3.0.9 installation and found, that in my case, User-Profile, set for DEFAULT user in "users" is not applied at all ... though group check is passed successfully and I am unable to find anything what could shade light on the cause ... so, help me to see it please ... here is what I receive: ---[ -X debug start ]------------------------------------------- ... (6) files: No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (8) (6) files: User is not a member of "wifi-lcu" (6) files: Searching for user in group "visitor" rlm_ldap (ldap): Reserved connection (9) (6) files: Using user DN from request "uid=rad-visitor,authorizedService=802.1x-eap-tls@xyz,uid=fo02-admin,ou=People,dc=xyz" (6) files: Checking for user in group objects (6) files: EXPAND (&(cn=visitor)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) (6) files: --> (&(cn=visitor)(memberUid=rad-visitor)) (6) files: Performing search in "ou=groups,ou=RADIUS,dc=xyz" with filter "(&(cn=visitor)(memberUid=rad-visitor))", scope "sub" (6) files: Waiting for search result... (6) files: User found in group object "ou=groups,ou=RADIUS,dc=xyz" rlm_ldap (ldap): Released connection (9) (6) files: users: Matched entry DEFAULT at line 95 (6) files: EXPAND User-Profile is %{User-Profile} (6) files: --> User-Profile is (6) [files] = ok rlm_ldap (ldap): Reserved connection (10) ... ---[ -X debug end ]------------------------------------------- ---[ "users" file starting from L95 quotation start ]----------- DEFAULT Ldap-Group == 'visitor', User-Profile := "cn=visitor,ou=profiles,ou=RADIUS,dc=ibs" Reply-Message := "User-Profile is %{User-Profile}", Fall-Through = no ---[ "users" file quotation end ]----------------------------- -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
On 12 Aug 2015, at 18:22, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
Alan DeKok <aland@deployingradius.com> wrote:
On Aug 8, 2015, at 10:48 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
and in general ... what is the LDAP equivalent to users file configuration?
There is no LDAP equivalent to the "users" file configuration. If there was, it would be documented.
ok, finally I have checked my v.2.x "users" file configuration against v.3.0.9 installation and found, that in my case,
User-Profile, set for DEFAULT user in "users" is not applied at all ... though group check is passed successfully
and I am unable to find anything what could shade light on the cause ... so, help me to see it please ...
That'd be %{control:User-Profile} unless check items are more bizarre than I think they are... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
ok, finally I have checked my v.2.x "users" file configuration against v.3.0.9 installation and found, that in my case,
User-Profile, set for DEFAULT user in "users" is not applied at all ... though group check is passed successfully
and I am unable to find anything what could shade light on the cause ... so, help me to see it please ...
That'd be %{control:User-Profile} unless check items are more bizarre than I think they are...
the same ... ---[ quotation start ]------------------------------------------- ... (6) files: User found in group object "ou=groups,ou=RADIUS,dc=xyz" rlm_ldap (ldap): Released connection (9) (6) files: users: Matched entry DEFAULT at line 95 (6) files: EXPAND User-Profile is %{control:User-Profile} (6) files: --> User-Profile is (6) [files] = ok rlm_ldap (ldap): Reserved connection (10) ... ---[ quotation end ]------------------------------------------- in documentation it is written: if user is a part of Ldap-Group, the User-Profile will be assigned to the user. so, my user is found to be a part of Ldap-Group, how to know why User-Profile is not assigned? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
A.L.M.Buxey@lboro.ac.uk wrote:
does it mean to hardcode all my access points data ... because MAC addresses differ but SSID part is the same
no...carry on as you are, selecting the SSID part of your CSI attribute....but just call ldap with the if(){} stuff as explained
thanks, it works, though it is possible to set only one single attribute value to hold SSID, if multiply values set, then all except first are ignored :( -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
vilpalu -
Zeus Panchenko