Access-Accept / Access-Reject based on LDAP Group & SSID

Ben Humpert ben at
Thu Mar 19 18:53:37 CET 2015

2015-03-19 18:14 GMT+01:00 Alan DeKok <aland at>:
> On Mar 19, 2015, at 12:20 PM, Ben Humpert <ben at> wrote:
>> I already read plenty of Howtos, manpages and configuration examples
>> and tried to find a Guide for what I'm trying to archive.
>   Most third-party guides aren’t worth the effort.  It’s better to UNDERSTAND what’s going on, rather than to follow a guide which may or may not be applicable.
>> What I exactly want to archive is RADIUS to check
>> 1) if the group the user is in is allowed to log into
>> Called-Station-Ssid “guest"
>   That’s in the FAQ. Where?

>> 2) if the username & password is correct
>   The server does that if you configure a user/password.  i.e. tell it to look the user up in LDAP.

Server already does it but before checking in which group the user is

>> 3) if user has "dialupAccess” set
>   See the LDAP module configuration for how that works.

That already works, directly after checking for username/password but
before checking in which group the user is.

>> I'm running Ubuntu 14.04.1, FreeRADIUS 2.1.12 and OpenLDAP 2.4.31
>   <sigh>  Upgrade to 2.2.6.  The Debian / Ubuntu people have fixated on 2.2.12 for reasons I don’t understand.

RADIUS 2.1.12 is the latest available in latest LTS Ubuntu.

>> I'd start from scratch but have modified dictionary, policy.conf and
>> sites-available/default according to
>   Are you doing MAC Auth?  If so, then the guide should work.  If you’re not doing MAC Auth, then why the heck are you following the MAC auth guide?

No but it was the ONLY guide which explained how to seperate MAC and
SSID. I didn't followed it completely, just took the parts I need.

More information about the Freeradius-Users mailing list