LDAP Groups to Freeradius and then Ruckus Wireless?

[Enrique Sainz Baixauli]

I am totally unsure what was going on with that Foreach-Variable-# thing,
but it seems to be working fine now. I was following Arran's advice in [1]
to try to minimize calls to ldap when Foreach-Variable-1 was empty all of a
sudden, so I switched to Foreach-Variable-0 and everything started working
fine. I did not add or remove any loops, only update sections for
Cache-Status-Only and calls to ldap and/or cache, so I find it even weirder.

Anyway, it is working now, so I am pasting config snippets here for the
record:

## sites-enabled/default
authorize {
	[...]
	update control {
		Cache-Status-Only := yes
	}
	cache
	If (notfound) {
		ldap
		update control {
			Cache-Status-Only := no
		}
		cache
	}
	[...]
}

post-auth {
	update control {
		Cache-Status-Only := no
	}
	cache
	foreach &control:LDAP-Group {
		update reply {
			&Ruckus-User-Groups += "%{Foreach-Variable-0}"
		}
	}
}

# sites-enabled/inner-tunnel
authorize {
	[...]
	update control {
		Cache-Status-Only := yes
	}
	cache
	If (notfound) {
		ldap
		update control {
			Cache-Status-Only := no
		}
		cache
	}
	[...]
}

# mods-enabled/cache
cache {
	ttl = 3600
	add_stats = no
	update {
		control:LDAP-Group += control:LDAP-Group
		control:Password-With-Header += control:Password-With-Header
	}
}

With this config there is only one call to ldap in the entire authentication
process and the group attribute is set in the final Access-Accept. The
authorize section is the same in both default and inner-tunnel servers
because the former is needed for TTL and the latter for PEAP (and I need
both methods). Feel free to ask or suggest anything you can think of :)

Thanks everyone one more time!

[1]
http://lists.freeradius.org/pipermail/freeradius-users/2014-June/072430.html