LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Tue Jun 3 13:12:19 CEST 2014

> Hi Enrique, 
> Can you show us what the inner-tunnel post-auth section looks like? By
trimming down the debug output, we've lost that. 
> If your inner-tunnel post-auth just uses "update reply {", then you may
with to update it with "update outer.reply {", which should feed the
attribute back. 
> Stefan

Hi Stefan,

I only added to postauth in inner-tunnel server configuration what I had in
authorize in default server:

foreach &control:LDAP-Group {
	update reply {
		&Ruckus-User-Groups += "%{Foreach-Variable-0}"

Now I changed it into update outer.reply and, instead of the attribute being
added to the tunneled reply to the default server, it was added to the
Access-Challenge that the default server sent to the client. Then, the
client sends one last Access-Request and the server sends Access-Accept
without the attribute. I am guessing that this last reply was done only by
the default server, so the inner-tunnel didn't get to add anything. But if
that's so, how can I add the attribute in the default server without
querying LDAP on every packet that the server sends to set up the TLS

Thanks again!

More information about the Freeradius-Users mailing list