Access-Accept / Access-Reject based on LDAP Group & SSID

Alan DeKok aland at
Fri Mar 20 18:44:23 CET 2015

On Mar 20, 2015, at 10:16 AM, Ben Humpert <ben at> wrote:
> Thank you very much for posting that example. I got what I wanted to
> archive working. However, it feels like a very dirty hack. Isn't there
> a better way (maybe in newer versions)?

  Use a database.

> If I would use 2.2.6 wouldn't I have to use the same configuration as
> I have to use in 2.1.12 or it there are easier and more modular way to
> implement what I want to archive?


> Currently I have to "hardcode" every group into the configuration file
> and everytime I add/remove a group I have to edit the file and restart
> Radius. It's like Radius without LDAP. I thought of something like
> if (%{tolower:%{Ldap-Group}} == %{Called-Station-Ssid}) {
>  noop

  You can’t lowercase the LDAP group.  You’ll have to lowercase the Called-Station-SSID instead.

  It helps to describe what you’re doing.  You asked if you could do LDAP group checks based on Called-Station-SSID.  You got an answer.  If the LDAP group names are the *same* as the SSID, then you should have said that, too.  You’d get a different answer.

  So… what’s actually going on?

  Alan DeKok.

More information about the Freeradius-Users mailing list