Re-write Attributes based upon NAS-Port-Type and LDAP authorization response

Alan DeKok aland at
Mon Jun 26 20:51:00 CEST 2006

"Bill Carr" <bcarr at> wrote:
> My pseudo-code thought process is outlined below (I'm not a coder, would
> never profess to be; thus my post!):
>              if NAS-Port-Type == "Wireless - IEEE 802.11"
>              then
>                          Tunnel-Medium-Type == IEEE-802
>                          Tunnel-Type == VLAN
>                          if Filter-ID =~ "Internet-Restricted"

  That won't work.  The NAS doesn't send Filter-Id.  You've got to
configure the server to send the correct response back.

> My reading thus far has lead me to test my reply attribute requirements
> from the "users" file and that works perfectly.   If someone could point
> me in a simple direction on how to strip/rewrite the attributes based on
> the 'authorization' reply from LDAP, I'd be indebted.

  I don't see why that's necessary.  Configuring the server to do
something, then re-do what it already did as something else, is a bad
idea.  It's hard to configure, and prone to problems.

  Instead, configure the server to match on something, and send a
reply.  It's a lot easier.

>   I've seen examples of profiles stored on LDAP, but I'm curious how
> I could choose a different profile based upon the "NAS-Port-Type"
> received in the Access-Request

  You put the NAS-Port-Type into the LDAP query.  That's hwy the
queries are configurable.

  Alan DeKok.

More information about the Freeradius-Users mailing list