Reject users based on LDAP attribute

Luo, Frank Y.F. Mr. luoy at
Thu May 17 15:56:20 CEST 2012

i have a similar situation

$ sudo grep Profile dictionary
ATTRIBUTE Profile 3000 string

$ sudo grep Profile ldap.attrmap
replyItem Profile VPN

$ more default
post-auth {
if (Profile == g1) {
    update reply {
        class = "ou=g1;"

But in the log

# Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++? if (Profile == g1)
    (Attribute Profile was not found)
? Evaluating (Profile == g1) -> FALSE
++? if (Profile == g1) -> FALSE

I also tried

If (reply:Profile == g1)

Any idea?



On May 17, 2012, at 3:58 AM, C.F. Yeung wrote:

Thanks, it's working.

On Thu, May 17, 2012 at 3:22 PM, Phil Mayers <p.mayers at<mailto:p.mayers at>> wrote:
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?

ATTRIBUTE My-Local-wlanStatus 3000 string

replyItem My-Local-wlanStatus WLANStatus

It's a REPLY item, so this should be:

if (reply:My-Local-wlanStatus == A1) {
List info/subscribe/unsubscribe? See

List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list