User Groups within FR

Ben Humpert ben at
Mon May 25 23:15:54 CEST 2015

2015-05-25 22:23 GMT+02:00 Alan DeKok <aland at>:
> On May 25, 2015, at 3:41 PM, Ben Humpert <ben at> wrote:
>> /etc/freeradius/mods-enabled/groups
>> passwd groups {
>>        moddir = ${modconfdir}/${.:instance}
>   Is this for v3?  If so, that's fine...

3.0.7 because you told me to upgrade from 2.1.12 ;)

>>        filename = ${moddir}/authorize
>>        format = "Group-Name:,Allowed-SSID:*,User-Name"
>   That's not correct.  For one, you don't want to re-use the Group-Name attribute.  It already has a meaning.  You probably want:
> format = "~Allowed-SSID:*,User-Name"
>> /etc/freeradius/mods-config/groups/authorize
>> #Group-Name:Allowed-SSID:User-Name
>   Don't put comments into the files.  It won't work.  You should just use:
> SSID:user1,user2,user3
>> I tried that but somehow I can't get it working. I know PHP so
>> if-then-else stuff is not a problem at all but I have a problem
>> reading the Attribute so I can compare it with %{Called-Station-Ssid}.
>   You'll also need to *enable* the "groups" module.  List it in raddb/sites-available/default, in the "authorize" section, and BEFORE the unlang statements which look for Allowed-SSID.

Already had it enabled in my tests and also called it before the
unlang statements. I'm not THAT stupid ;)

>  And add Allowed-SSID to the dictionaries.  See raddb/dictionary.

Also had done that. If not I couldn't have started the server because
of "Unknown attribute" error

>> I tried it with %{Allowed-SSID}, %Allowed-SSID, &Allowed-SSID,
>> Allowed-SSID and stuff like %{config:Allowed-SSID} or
>> %{config:modules.groups.Allowed-SSID} and in the debug log I see
>   PLEASE don't try random things.  The method of referencing attributes is documented.  If the attribute can't be found, it's because something *else* is wrong.
>> groups: Added Allowed-SSID: 'base,small' to config_items
>> so I should be able to %{config:Allowed-SSID} ==
>> %{Called-Station-Ssid} but the attribute is always empty or I get
>> "Config item "Allowed-SSID" does not exist".
>> I also got the following warning
>> Mon May 25 21:18:22 2015 : Warning: /etc/freeradius/policy.d/access[3]
>> Please change %{Called-Station-Ssid}} to &Called-Station-Ssid}
>   That's fine.
>> so what is the difference between %{Attribute-Name} and
>> &Attribute-Name ? It's hard to google for just these special chars.
>   <sigh>  See "man unlang".  This is documented.  The documentation comes with the server.

Until now I always checked but this time I actually
opened the man unlang on my linux server and wow, what a difference.
The website just contains "&" six times; for three foo && bar samples.
Are you going to only use the wiki for documentation, manpages, etc.
or do you want to keep the website documentation stuff too? If not I
guess it's ok if we (users) help improving the wiki ourselves?

>> I somehow feel stupid, just a little bit but still beyond acceptance
>> :) and I hate asking for help but I can't solve this on my own. Thanks
>> very much!
>   Do the fixes I suggested above.  And read the debug output.

I did. I used the exact same code for the format setting in the
/etc/freeradius/mods-enabled/groups you've posted above. It worked.
Then I checked my code and saw the problem. I missed the ~
Instead of getting

groups: Added Allowed-SSID: 'base,small' to config_items

I now get

groups: Added Allowed-SSID: 'base,small' to request_items

I thought having it as an config attribute is fine. I was wrong.

Thank you very much for your help!

More information about the Freeradius-Users mailing list