Access-Accept / Access-Reject based on LDAP Group & SSID
Matthew Newton
mcn4 at leicester.ac.uk
Fri Mar 20 02:15:17 CET 2015
On Thu, Mar 19, 2015 at 06:53:37PM +0100, Ben Humpert wrote:
> 2015-03-19 18:14 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
> > On Mar 19, 2015, at 12:20 PM, Ben Humpert <ben at an3k.de> wrote:
> >> What I exactly want to archive is RADIUS to check
> >> 1) if the group the user is in is allowed to log into
> >> Called-Station-Ssid “guest"
> >
> > That’s in the FAQ.
>
> http://wiki.freeradius.org/guide/faq Where?
Try the rlm_ldap page: http://wiki.freeradius.org/modules/Rlm_ldap
"Group Support".
If you've already followed the part from the mac auth docs about
getting Called-Station-SSID, you should be able to do something like
if (Called-Station-SSID == "guest") {
if (Ldap-Group == "guestgroup") {
noop
}
else {
reject
}
}
or similar, to accomplish what you want.
> >> I'm running Ubuntu 14.04.1, FreeRADIUS 2.1.12 and OpenLDAP 2.4.31
> >
> > <sigh> Upgrade to 2.2.6. The Debian / Ubuntu people have
> > fixated on 2.2.12 for reasons I don’t understand.
>
> RADIUS 2.1.12 is the latest available in latest LTS Ubuntu.
We know that.
2.1.12 is ancient and has plenty of bugs and security issues. If
you really want to use it, you're probably better off going to
Ubuntu for help. Long term "support" should mean that...
Building 2.2.6 on Debian is absolutely trivial.
http://wiki.freeradius.org/building/Build#Building-Debian-packages
Having said that, unlang like the above will /probably/ be OK on
that version. But noone around here is particularly interested, as
you've found out :)
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list