unlang mapping different users to different authentication source

Herwin Weststrate herwin at quarantainenet.nl
Tue Feb 2 15:44:24 CET 2016


On 02-02-16 15:23, James Chen wrote:
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +group authorize {
> ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" )
>         expand: %{request:Aruba-Essid-Name} ->
> ? Evaluating ("%{request:Aruba-Essid-Name}" == "microshield-test" ) ->
> FALSE
> ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE
> ++else else {

That means the attribute request:Aruba-Essid-Name is not available or
has a different value. Earlier in the debug logging a complete dump of
the request packet is shown, you can use that to see how the ssid is
transmitted.

There are a couple of ways an ssid can added to a radius packet.
Aruba-Essid-Name is just one of them, other values that I'm aware of are
Colubris-AVPair and Cisco-AVPair with a value ssid=(.*), or appended to
Called-Station-Id. What is used really depends on the NAS and the
configuration of the NAS.

-- 
Herwin Weststrate


More information about the Freeradius-Users mailing list