v3.0.10: how to specify allowed SSID list in users file?

"František Hanzlík" franta at hanzlici.cz
Sun Nov 13 09:38:15 CET 2016

I want authenticate WiFi users on freeradius-3.0.10. AP provides several
SSIDs and I want certain users to be able connect just to certain SSIDs.
Users are few, and I want for AAA use files module. My idea is use
notation something like this (in users file mods-config/files/authorize):

tom   Cleartext-Password := "to", Wifi-Allowed = "SSID1,SSID2"
pepa  Cleartext-Password := "pp", Wifi-Allowed = "SSID1"
petr  Cleartext-Password := "pe", Wifi-Allowed = "SSID3"

and then test it in default server "authorize" section somewhere after
"files" module specification with unlang code something as:

switch &Called-Station-SSID {
    case "SSID1" {
        if (&control:Wifi-Allowed =~ /.*SSID1.*/ ) {
        } else {
    case "SSID2" {
        if (&control:Wifi-Allowed =~ /.*SSID2.*/ ) {
        } else {


Called-Station-SSID I've filled by calling rewrite_called_station_id at
beginnig of the "authorize" section (just after "filter_username"), this
part seems be fine.

Unfortunately, all my attempts ends unsuccessfully, mostly with syntax
error in 'users' file, or at run at 'if (&control:Wifi-Allowed ...' with
"ERROR: Failed retrieving values required to evaluate condition

Attribute "Wifi-Allowed" i tried declare in %{raddb}/dictionary or
%{raddb}/dictionary.local, both without success.

Is it even possible to carry out this way?  What should be the correct

I also tried another way, where I had additional file in form:


and parse it with slightly modified etc_group module and then check with
similar unlang code as above - and it work fine; but as a disadvantage
there must be two configuraton files.
I would have been happier if it was possible to have a user, its password
(or certificate - it's also possible?), and him allowed SSID in one
(perhaps "users") file.

TIA, Franta

More information about the Freeradius-Users mailing list