User Groups within FR

Ben Humpert ben at
Mon May 25 21:41:22 CEST 2015

2015-05-25 17:09 GMT+02:00 Alan DeKok <aland at>:
> On May 25, 2015, at 10:41 AM, Ben Humpert <ben at> wrote:
>> This allows me to connect to a switch (which doesn't cause the
>> creation of Called-Station-Ssid) but also to an access point. However,
>> it does not prevent me connecting to a forbidden SSID. If I use == in
>> the check item it actually does prevent me from connecting to a
>> forbidden SSID but also from connecting through switches.
>   The users file isn't well suited for complex policies.
>> So, should I use a regex in the "users" file for each user entry or
>> should I do this with a policy using unlang?
>   Keep the users file simple.

That's exactly what I secretly hoped :)

>> And if using unlang is
>> advised - I think using groups is the better approach than hardcoding
>> usernames into the code - how do I create groups which contain a) the
>> usernames that are part of that group and b) one or more
>> Called-Station-Ssid entries the user is allowed to connect to?
>   See raddb/modules/etc_group, and "man rlm_passwd".  The process of creating groups is documented for precisely this reason. :)

Awesome! Thank you very much for pointing me to these. I hoped for
something like this.

>> I thought about arrays but I couldn't find infos if it's supported or
>> how it's used. I actually have a perfectly working unlang code for
>> doing what I want to achieve but that checks LDAP and I want to get
>> rid of it since it's kind of an overkill for just assigning users into
>> groups.
>   Use the groups to set the list of allowed SSIDs as a new attribute, "Allowed-SSID".  Have a special one for "no SSID".  Then in "unlang"

passwd groups {
        moddir = ${modconfdir}/${.:instance}
        filename = ${moddir}/authorize
        format = "Group-Name:,Allowed-SSID:*,User-Name"
        hash_size = 50
        ignore_nislike = yes
        allow_multiple_keys = yes
        delimiter = ":"


Base:base,small:Sony VAIO,Ben

>         if ((!Called-Station-Ssid && (Allowed-SSID == "no-SSID")) ||
>              (Allowed-Station-SSID == "%{Called-Station-Ssid}")) {
>                 ... set VLANs ...
>         }
>         else {
>                 reject
>         }
>   Something like that should work.

I tried that but somehow I can't get it working. I know PHP so
if-then-else stuff is not a problem at all but I have a problem
reading the Attribute so I can compare it with %{Called-Station-Ssid}.

I tried it with %{Allowed-SSID}, %Allowed-SSID, &Allowed-SSID,
Allowed-SSID and stuff like %{config:Allowed-SSID} or
%{config:modules.groups.Allowed-SSID} and in the debug log I see

groups: Added Allowed-SSID: 'base,small' to config_items

so I should be able to %{config:Allowed-SSID} ==
%{Called-Station-Ssid} but the attribute is always empty or I get
"Config item "Allowed-SSID" does not exist".

I also got the following warning

Mon May 25 21:18:22 2015 : Warning: /etc/freeradius/policy.d/access[3]
Please change %{Called-Station-Ssid}} to &Called-Station-Ssid}

so what is the difference between %{Attribute-Name} and
&Attribute-Name ? It's hard to google for just these special chars.

I somehow feel stupid, just a little bit but still beyond acceptance
:) and I hate asking for help but I can't solve this on my own. Thanks
very much!

More information about the Freeradius-Users mailing list