Referencing LDAP/AD attributes in post-auth section

Stefano Pardini stefanopardini at
Wed Aug 3 18:07:26 CEST 2016

I'm sorry for asking such a simple thing but I can't find any
reference for FreeRadius3.

I have been successfully using this functionality in Freeardius2, in
the same manner as reported here:

I've created a new ldap module inside mods-available/ldap to extract a
specific ldap attribute (macAddress) from a specific ldap location ad
reported here in rlm_ldap module documentation.
ldap ldap_mac_auth {
        server = 'samba4.server.mynet.lan'
        identity = 'cn=administrator,cn=Users,dc=ad,dc=mynet,dc=lan'
        password = p4ss
        base_dn = 'ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan'

        update {
                reply:macAddress                := 'macAddress'


        user {
                base_dn = "${..base_dn}"
                filter =

Then i'm calling it inside the authorize section of the default server.
authorize {

In the post-auth section of the default server i'm applying the
following control.
post-auth {
        if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
                 update reply {
                        Tunnel-Private-Group-Id := 43
                        Tunnel-Medium-Type := "IEEE-802"
                        Tunnel-Type := "VLAN"

Inside the dictionary file I've added the reference to that variable.
ATTRIBUTE       macAddress              3000    string

During the authentication process I can see the ldap_auth_mac module running.
(2) ldap_mac_auth: EXPAND
(2) ldap_mac_auth:    --> (&(objectClass=computer)(managedBy=CN\3dTest
(2) ldap_mac_auth: Performing search in
"ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan" with filter
scope "sub"
(2) ldap_mac_auth: Waiting for search result...
(2) ldap_mac_auth: User object found at DN
(2) ldap_mac_auth: Processing user attributes
(2) ldap_mac_auth: reply:macAddress := '13-59-F3-A3-94-00'

So, as you see, the macAddress ldap attribute is correctly mapped to
the reply:macAddress variable. But at the end of the process,
executing the post-auth section, this is the result:

(10)   post-auth {
(10)     if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
(10)     EXPAND %{reply:macAddress}
(10)        -->
(10)     EXPAND %{Calling-Station-Id}
(10)        --> 13-59-F3-A3-94-00
(10)     if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" )  -> FALSE

So the variable "reply:macAddress" couldn't correctly expanded.

I'm using FreeRADIUS Version 3.0.12.

Thanks in advance for your help.

More information about the Freeradius-Users mailing list