EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level

Brian Candler b.candler at pobox.com
Tue Oct 25 09:25:51 CEST 2016

On 24/10/2016 22:07, tj2718 at aol.com wrote:
> It looks like while I have the LDAP check enabled the computers using certificates
> get rejected because they are not found by the LDAP search/filter.
> (5) if (Ldap-Group == "WiFi") -> FALSE

I was bitten by that too. Try changing it to:

if (&Ldap-Group == "WiFi")

Reason: Ldap-Group is a "magic" attribute. Rather than actually being 
stored on an AV list, a comparison operator which references this 
attribute triggers some code which performs the actual LDAP lookup(s).

However, whereas in most places in FreeRADIUS the & is optional, here 
it's not. If you miss it, it silently fails; perhaps it is looking on 
the "real" AV list instead.

In addition: since Ldap-Group is multi-valued, and you want to check if 
*any* of the groups is "WiFi", you may want to write instead

if (&Ldap-Group[*] == "WiFi")

If this were a normal attribute, missing the [*] would mean you only 
check against the first value of a multi-valued attribute. With a 
"magic" attribute I don't know if it's necessary, but it doesn't harm to 
have it.

There is another way to deal with this, which is to enable one of these 

                cacheable_name = 'no'
                cacheable_dn = 'no'

They cause the LDAP group query to be performed up-front and the results 
stored as real AV pairs (either the group names or the group DNs 
respectively). Then you can use them just like any normal attribute, 
e.g. in string expansions, and the '&' is optional again.



More information about the Freeradius-Users mailing list