Using NAS-Identifier with login criteria

Brian Boere brian.boere at
Sun Apr 12 15:15:12 CEST 2015

 Thanks for the feedback Alan.

What is the benefit of the change to the Ldap-Group line?

For the line in the sites-available/default, I had seen an example when I was trying to figure this out that had this in it.  
I will remove it.

The version that I am using was installed from YAST2 on a SLES11 machine.  I applied all of the updates through YAST and figured it was up to date. What is the best process to upgrade to 2.2.6?

I appreciate your input.


>>> Alan DeKok <aland at> 4/12/2015 08:54 AM >>> 
On Apr 11, 2015, at 9:15 PM, Brian Boere <brian.boere at> wrote:
> What I have done is:
> created an area called "my_policy" in the policy.conf file and added the following:
> 	if (NAS-Identifier =~ /Rad_test2/) {
> 	     if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {

  For various reasons you'll have to do:

	if (!(Ldap-Group == "cn=Corporate Wireless Network,ou=ou,o=org" )) {

  That will work better.

> 	         reject
> 	     }
> 	}
> In the /sites-available/default file:
> under authorize:
> 	update request {
> 		NAS-Identifier = "%{NAS-Identifier}"
>                  }

  Huh?  That does nothing useful. Why do you think that's necessary?

> FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 28 2014 at 23:17:30

  And why 2.1.1?  That's almost 7 years old.  Use 2.2.6.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list