Access-Accept / Access-Reject based on LDAP Group & SSID

Alan DeKok aland at
Thu Mar 19 18:14:59 CET 2015

On Mar 19, 2015, at 12:20 PM, Ben Humpert <ben at> wrote:
> I already read plenty of Howtos, manpages and configuration examples
> and tried to find a Guide for what I'm trying to archive.

  Most third-party guides aren’t worth the effort.  It’s better to UNDERSTAND what’s going on, rather than to follow a guide which may or may not be applicable.

> What I exactly want to archive is RADIUS to check
> 1) if the group the user is in is allowed to log into
> Called-Station-Ssid “guest"

  That’s in the FAQ.

> 2) if the username & password is correct

  The server does that if you configure a user/password.  i.e. tell it to look the user up in LDAP.

> 3) if user has "dialupAccess” set

  See the LDAP module configuration for how that works.

> I'm running Ubuntu 14.04.1, FreeRADIUS 2.1.12 and OpenLDAP 2.4.31

  <sigh>  Upgrade to 2.2.6.  The Debian / Ubuntu people have fixated on 2.2.12 for reasons I don’t understand.

> I'd start from scratch but have modified dictionary, policy.conf and
> sites-available/default according to

  Are you doing MAC Auth?  If so, then the guide should work.  If you’re not doing MAC Auth, then why the heck are you following the MAC auth guide?

  Alan DeKok.

More information about the Freeradius-Users mailing list