Access-Accept / Access-Reject based on LDAP Group & SSID
Ben Humpert
ben at an3k.de
Fri Mar 20 22:25:10 CET 2015
2015-03-20 22:19 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>
> If you don't have the time to *summarize* what you're doing, I don't have time to read the hundreds of lines of ldap dump you posted.
>
>> On Mar 20, 2015, at 5:05 PM, Ben Humpert <ben at an3k.de> wrote:
>>
>> RADIUS should check if the users group has a radiusCalledStationId
>> attribute matching the Called-Station-Id. If not it should check if
>> the user itself has a matching attribute. If not, Access-Reject. In
>> case a match is found and Called-Station-Ssid is set RADIUS should now
>> check if the users group has a matching radiusCalledStationSsid
>> attribute. If not it should check if the user itself has a matching
>> attribute. If not, Access-Reject. In case a match is found RADIUS
>> should finally check the users group for other attributes (eg.
>> radiusTunnelType, etc.) and apply them as long as the user itself
>> doesn't have these attributes set too. In that case the users
>> attributes take precedence.
More information about the Freeradius-Users
mailing list