User Groups within FR

Alan DeKok aland at
Mon May 25 17:09:06 CEST 2015

On May 25, 2015, at 10:41 AM, Ben Humpert <ben at> wrote:
> This allows me to connect to a switch (which doesn't cause the
> creation of Called-Station-Ssid) but also to an access point. However,
> it does not prevent me connecting to a forbidden SSID. If I use == in
> the check item it actually does prevent me from connecting to a
> forbidden SSID but also from connecting through switches.

  The users file isn't well suited for complex policies.

> So, should I use a regex in the "users" file for each user entry or
> should I do this with a policy using unlang?

  Keep the users file simple.

> And if using unlang is
> advised - I think using groups is the better approach than hardcoding
> usernames into the code - how do I create groups which contain a) the
> usernames that are part of that group and b) one or more
> Called-Station-Ssid entries the user is allowed to connect to?

  See raddb/modules/etc_group, and "man rlm_passwd".  The process of creating groups is documented for precisely this reason. :)

> I thought about arrays but I couldn't find infos if it's supported or
> how it's used. I actually have a perfectly working unlang code for
> doing what I want to achieve but that checks LDAP and I want to get
> rid of it since it's kind of an overkill for just assigning users into
> groups.

  Use the groups to set the list of allowed SSIDs as a new attribute, "Allowed-SSID".  Have a special one for "no SSID".  Then in "unlang"

	if ((!Called-Station-Ssid && (Allowed-SSID == "no-SSID")) ||
	     (Allowed-Station-SSID == "%{Called-Station-Ssid}")) {
		... set VLANs ...
	else {

  Something like that should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list