Access-Accept / Access-Reject based on LDAP Group & SSID

Matthew Newton mcn4 at
Fri Mar 20 02:15:17 CET 2015

On Thu, Mar 19, 2015 at 06:53:37PM +0100, Ben Humpert wrote:
> 2015-03-19 18:14 GMT+01:00 Alan DeKok <aland at>:
> > On Mar 19, 2015, at 12:20 PM, Ben Humpert <ben at> wrote:
> >> What I exactly want to archive is RADIUS to check
> >> 1) if the group the user is in is allowed to log into
> >> Called-Station-Ssid “guest"
> >
> >   That’s in the FAQ.
> Where?

Try the rlm_ldap page:
"Group Support".

If you've already followed the part from the mac auth docs about
getting Called-Station-SSID, you should be able to do something like

  if (Called-Station-SSID == "guest") {
    if (Ldap-Group == "guestgroup") {
    else {

or similar, to accomplish what you want.

> >> I'm running Ubuntu 14.04.1, FreeRADIUS 2.1.12 and OpenLDAP 2.4.31
> >
> >   <sigh>  Upgrade to 2.2.6.  The Debian / Ubuntu people have
> >   fixated on 2.2.12 for reasons I don’t understand.
> RADIUS 2.1.12 is the latest available in latest LTS Ubuntu.

We know that.

2.1.12 is ancient and has plenty of bugs and security issues. If
you really want to use it, you're probably better off going to
Ubuntu for help. Long term "support" should mean that...

Building 2.2.6 on Debian is absolutely trivial.

Having said that, unlang like the above will /probably/ be OK on
that version. But noone around here is particularly interested, as
you've found out :)



Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list