Auth by NAS-Identifier using unlang

Joseph Perrin joseph at
Mon Aug 5 21:59:51 CEST 2013

I was thinking this should be easy, but it's been two weeks and I give up...

This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: "staff" and
"guests".  I want mutual exclusivity.

My /etc/raddb/users file contains something like this:

abc                  Cleartext-Password:="xyz"

I've created an attribute in my /etc/raddb/dictionary file:

ATTRIBUTE       Local-Group             3000    string

In my /etc/raddb/sites-enabled/default file, in the authorize section, I've
got this:

 if ( Local-Group != NAS-Identifier ) {
    update reply {
      Reply-Message := "You may not connect to %{NAS-Identifier} AP.\r\n"

My access request looks something like this: (edited for brevity.)

User-Name = "abc"
NAS-IP-Address =
NAS-Port = 0
NAS-Identifier = "guests"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "..."
Called-Station-Id = "..."
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =...
State = ...
Aruba-Essid-Name = "test"
Aruba-Location-Id = "wifi"
Aruba-AP-Group = "Our WiFi"

Running radiusd -X I get:

++? if (Local-Group != NAS-Identifier )
    (Attribute Local-Group was not found)
? Evaluating (Local-Group != NAS-Identifier ) -> FALSE
++? if (Local-Group != NAS-Identifier ) -> FALSE

And it's clear Local-Group is always empty.  :-(

Some things I've tried:

-Moved code to post-auth section instead of authorize.
-Different attributes instead of private dictionary.  (i.e. Group-Name)
-Running an executable, (actually works, but selinux appears to be a
-Changing the test from != to == makes things work as expected, so if the
comparison will actually work, I'm good.

I'm clearly not understanding something....

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list