EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
Brian Candler
b.candler at pobox.com
Tue Oct 25 09:25:51 CEST 2016
On 24/10/2016 22:07, tj2718 at aol.com wrote:
> It looks like while I have the LDAP check enabled the computers using certificates
> get rejected because they are not found by the LDAP search/filter.
>
> (5) if (Ldap-Group == "WiFi") -> FALSE
I was bitten by that too. Try changing it to:
if (&Ldap-Group == "WiFi")
Reason: Ldap-Group is a "magic" attribute. Rather than actually being
stored on an AV list, a comparison operator which references this
attribute triggers some code which performs the actual LDAP lookup(s).
However, whereas in most places in FreeRADIUS the & is optional, here
it's not. If you miss it, it silently fails; perhaps it is looking on
the "real" AV list instead.
In addition: since Ldap-Group is multi-valued, and you want to check if
*any* of the groups is "WiFi", you may want to write instead
if (&Ldap-Group[*] == "WiFi")
If this were a normal attribute, missing the [*] would mean you only
check against the first value of a multi-valued attribute. With a
"magic" attribute I don't know if it's necessary, but it doesn't harm to
have it.
There is another way to deal with this, which is to enable one of these
settings:
cacheable_name = 'no'
cacheable_dn = 'no'
They cause the LDAP group query to be performed up-front and the results
stored as real AV pairs (either the group names or the group DNs
respectively). Then you can use them just like any normal attribute,
e.g. in string expansions, and the '&' is optional again.
Regards,
Brian.
More information about the Freeradius-Users
mailing list