Cisco AV Pair

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at
Tue Jul 29 16:24:22 CEST 2014

Isn’t cisco-avpair a multivalue attribute? To do it properly, you’d have to check each instance for an ssid wouldn’t you?

In V3, we do this with foreach, but I’m not sure in V2. Typically the ssid attribute sent from a cisco ap is the first one, but maybe that’s not always the case.

If I’m way off track just ignore me! J



From: at [ at] On Behalf Of Dan Fleming
Sent: 29 July 2014 13:27
To: FreeRadius users mailing list
Subject: Re: Cisco AV Pair


Reading the documentation I am still at a loss. I am familiar on how to do this with Cisco ACS, but looking to do it now with free radius. I now have it working if I check the Cisco-avpair under the user in dalo Radius (Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have to keep typing that attribute under every user? I thought the group would work, but from what you are saying it sounds like it wouldnt. I have tried saying if it doesnt match the above regex then the Radgroupreply says ( Auth-Typ := Reject)

Thank you for your time.


On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland at> wrote:
> Dan Fleming wrote:
> > Thank you I have read through it makes sense. So how do I do something
> > based on the results?
>   The SQL document talks about "radreply", which lets you do something
> with the results.
> > I would like to only authorize a connection if the
> > users password matches and they are connecting to the correct ssid in
> > the av-pair. Is there a HOWTO or other document outlining how to do that?
>   No.  Because that's a specific solution.  The documents describe how
> the server works, and lets you put it together yourself.
>   For your situation, the key is to understand that the server accepts
> users if their password is correct.  If you add more conditional checks,
> the user is still accepted.
>   The solution is either to:
> a) set the "known good" password ONLY if the conditions also match.  The
> SQL documentation describes how to set conditions
> b) if the password is stored somewhere else (e.g. LDAP), then you need
> to REJECT the user if the conditions match.
>   Alan DeKok.
> -

> List info/subscribe/unsubscribe? See


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list