User Groups within FR

Alan DeKok aland at deployingradius.com
Mon May 25 22:23:46 CEST 2015 

On May 25, 2015, at 3:41 PM, Ben Humpert <ben at an3k.de> wrote:
> /etc/freeradius/mods-enabled/groups
> passwd groups {
>        moddir = ${modconfdir}/${.:instance}

  Is this for v3?  If so, that's fine...

>        filename = ${moddir}/authorize
>        format = "Group-Name:,Allowed-SSID:*,User-Name"

  That's not correct.  For one, you don't want to re-use the Group-Name attribute.  It already has a meaning.  You probably want:

format = "~Allowed-SSID:*,User-Name"

> /etc/freeradius/mods-config/groups/authorize
> 
> #Group-Name:Allowed-SSID:User-Name

  Don't put comments into the files.  It won't work.  You should just use:

SSID:user1,user2,user3

> I tried that but somehow I can't get it working. I know PHP so
> if-then-else stuff is not a problem at all but I have a problem
> reading the Attribute so I can compare it with %{Called-Station-Ssid}.

  You'll also need to *enable* the "groups" module.  List it in raddb/sites-available/default, in the "authorize" section, and BEFORE the unlang statements which look for Allowed-SSID.

 And add Allowed-SSID to the dictionaries.  See raddb/dictionary.

> I tried it with %{Allowed-SSID}, %Allowed-SSID, &Allowed-SSID,
> Allowed-SSID and stuff like %{config:Allowed-SSID} or
> %{config:modules.groups.Allowed-SSID} and in the debug log I see

  PLEASE don't try random things.  The method of referencing attributes is documented.  If the attribute can't be found, it's because something *else* is wrong.

> groups: Added Allowed-SSID: 'base,small' to config_items
> 
> so I should be able to %{config:Allowed-SSID} ==
> %{Called-Station-Ssid} but the attribute is always empty or I get
> "Config item "Allowed-SSID" does not exist".
> 
> I also got the following warning
> 
> Mon May 25 21:18:22 2015 : Warning: /etc/freeradius/policy.d/access[3]
> Please change %{Called-Station-Ssid}} to &Called-Station-Ssid}

  That's fine.

> so what is the difference between %{Attribute-Name} and
> &Attribute-Name ? It's hard to google for just these special chars.

  <sigh>  See "man unlang".  This is documented.  The documentation comes with the server.
> 
> I somehow feel stupid, just a little bit but still beyond acceptance
> :) and I hate asking for help but I can't solve this on my own. Thanks
> very much!

  Do the fixes I suggested above.  And read the debug output.

  Alan DeKok.

More information about the Freeradius-Users mailing list