User Groups within FR

Ben Humpert ben at
Mon May 25 16:41:05 CEST 2015

I'm using EAP-TLS and authentication works well. I also sanitize
Called-Station-Id, Calling-Station-Id and in the same process create
Called-Station-Ssid. This also works very well. This is done at first
in the authorize section.

My mods-config/files/authorize file has two entries as below.

                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-Id = "43",
                Tunnel-Type = "VLAN"

                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-Id = "1",
                Tunnel-Type = "VLAN"

My switches support Dynamic VLAN Assignment so this current
configuration is fine. My Wifi Access Points however do NOT support
it, thus I have to use a unique SSID for each VLAN. Because of that I
have to check to which SSID a user is connecting to and accept or
reject him based on which VLAN he's allowed to access.

I tried using (note the single = in the check item!)

tlsuser      Called-Station-Ssid = "vlan43"
                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-Id = "43",
                Tunnel-Type = "VLAN"

This allows me to connect to a switch (which doesn't cause the
creation of Called-Station-Ssid) but also to an access point. However,
it does not prevent me connecting to a forbidden SSID. If I use == in
the check item it actually does prevent me from connecting to a
forbidden SSID but also from connecting through switches.

So, should I use a regex in the "users" file for each user entry or
should I do this with a policy using unlang? And if using unlang is
advised - I think using groups is the better approach than hardcoding
usernames into the code - how do I create groups which contain a) the
usernames that are part of that group and b) one or more
Called-Station-Ssid entries the user is allowed to connect to?

I thought about arrays but I couldn't find infos if it's supported or
how it's used. I actually have a perfectly working unlang code for
doing what I want to achieve but that checks LDAP and I want to get
rid of it since it's kind of an overkill for just assigning users into

Thank you very much in advance!


More information about the Freeradius-Users mailing list