authorization based on ldap attribute

Phil Mayers p.mayers at
Wed Sep 19 18:37:43 CEST 2012

On 19/09/12 17:03, Stefano Zanmarchi wrote:
> Hallo,
> I've configured freeradius to authenticate users with PEAP, using
> openldap to store NTLM hashes. It works fine.
> Now I'd like to authorize only people who have the ldap attribute
> "haDirittoEduroam" set to Y
> (or the other way round: not to authorize users with
> "haDirittoEduroam" set to N).
> Below an example openldap entry.
> Is there an easy way to achive this?

1. Edit "raddb/dictionary" to define a local attribute to store the data

ATTRIBUTE	Eduroam-Enabled		3010	string

2. Modify "ldap.attrmap" to copy your LDAP attribute into this local 
RADIUS attribute:

replyItem	Eduroam-Enabled		haDirittoEduroam

3. Check the attribute like so in "sites-enabled/inner-tunnel":

authorize {
  if (reply:Eduroam-Enabled != "Y") {

There are probably other ways to do it, including using an "xlat" to 
lookup the attribute i.e. variation of step 2, or modifying the ldap 
queries to only "see" those users.

More information about the Freeradius-Users mailing list