Access-Accept / Access-Reject based on LDAP Group & SSID

Ben Humpert ben at
Fri Mar 20 15:16:11 CET 2015

2015-03-20 2:15 GMT+01:00 Matthew Newton <mcn4 at>:
> Try the rlm_ldap page:
> "Group Support".
> If you've already followed the part from the mac auth docs about
> getting Called-Station-SSID, you should be able to do something like
>   if (Called-Station-SSID == "guest") {
>     if (Ldap-Group == "guestgroup") {
>       noop
>     }
>     else {
>       reject
>     }
>   }
> or similar, to accomplish what you want.

Thank you very much for posting that example. I got what I wanted to
archive working. However, it feels like a very dirty hack. Isn't there
a better way (maybe in newer versions)?

> 2.1.12 is ancient and has plenty of bugs and security issues. If
> you really want to use it, you're probably better off going to
> Ubuntu for help. Long term "support" should mean that...
> Building 2.2.6 on Debian is absolutely trivial.
> Having said that, unlang like the above will /probably/ be OK on
> that version. But noone around here is particularly interested, as
> you've found out :)

If I would use 2.2.6 wouldn't I have to use the same configuration as
I have to use in 2.1.12 or it there are easier and more modular way to
implement what I want to archive?

Currently I have to "hardcode" every group into the configuration file
and everytime I add/remove a group I have to edit the file and restart
Radius. It's like Radius without LDAP. I thought of something like

if (%{tolower:%{Ldap-Group}} == %{Called-Station-Ssid}) {
else {

Kind regards,


More information about the Freeradius-Users mailing list