Access-Accept / Access-Reject based on LDAP Group & SSID
Ben Humpert
ben at an3k.de
Fri Mar 20 15:16:11 CET 2015
2015-03-20 2:15 GMT+01:00 Matthew Newton <mcn4 at leicester.ac.uk>:
>
> Try the rlm_ldap page: http://wiki.freeradius.org/modules/Rlm_ldap
> "Group Support".
>
> If you've already followed the part from the mac auth docs about
> getting Called-Station-SSID, you should be able to do something like
>
> if (Called-Station-SSID == "guest") {
> if (Ldap-Group == "guestgroup") {
> noop
> }
> else {
> reject
> }
> }
>
> or similar, to accomplish what you want.
Thank you very much for posting that example. I got what I wanted to
archive working. However, it feels like a very dirty hack. Isn't there
a better way (maybe in newer versions)?
> 2.1.12 is ancient and has plenty of bugs and security issues. If
> you really want to use it, you're probably better off going to
> Ubuntu for help. Long term "support" should mean that...
>
> Building 2.2.6 on Debian is absolutely trivial.
> http://wiki.freeradius.org/building/Build#Building-Debian-packages
>
> Having said that, unlang like the above will /probably/ be OK on
> that version. But noone around here is particularly interested, as
> you've found out :)
If I would use 2.2.6 wouldn't I have to use the same configuration as
I have to use in 2.1.12 or it there are easier and more modular way to
implement what I want to archive?
Currently I have to "hardcode" every group into the configuration file
and everytime I add/remove a group I have to edit the file and restart
Radius. It's like Radius without LDAP. I thought of something like
if (%{tolower:%{Ldap-Group}} == %{Called-Station-Ssid}) {
noop
}
else {
reject
}
Kind regards,
Ben
More information about the Freeradius-Users
mailing list