FreeRadius 3.0.13 - Using SSID to check AD groups

Pierre de Jong pierredejong at gmail.com
Tue Apr 4 10:30:01 CEST 2017 

Hi,

I am currently trying to set up a single FreeRadius 3.0.13 server to handle
diffenrents SSID on a network.
Users should be allowed to use certain SSID IF they are in certain AD Group.

We (my collegue and myself) have been to work things out, BUT we would like
to optimise.

Here is what has been done:

In the DEFAULT site:

Authenticate -->  With the MSCHAP via NTLM_Auth

Authorize ---> we have configured the LDAP module to be able to query the AD


We could see that is was working, in the "radiusd -X" output.

Then we implemented this, under....

But the first "if" does not work, although it should be ENOUGH and really
enought dynamic.... if the SSID and AD Group are created the right way.

We encountered the following problem:

UNABLE to use "%{Called-Station-SSID}"  (nor %Called-Station-SSID)

But  %{User-Name} works great.


- rewrite_called_station_id   --> has been called in "authorized" that
should "instantiate" the Called-Station-SSID

post-auth {
                if (LDAP-Group == "grp-ssid-%{Called-Station-SSID}") {
                        update reply {
                                Reply-Message = "Hello %{User-Name}: accès
permis sur %{Called-Station-SSID} a"
                        }
                        ok
                        return
                }
                if (LDAP-Group == "grp-ssid-GRP-Radius" &&
Called-Station-SSID == "GRP-Radius") {
                        update reply {
                                Reply-Message = "Hello %{User-Name}: accès
permis sur %{Called-Station-SSID} b"
                        }
                        ok
                        return
                }
                if (LDAP-Group == "grp-ssid-GRP-Radius2" &&
Called-Station-SSID == "GRP-Radius2") {
                        update reply {
                                Reply-Message = "Hello %{User-Name}: accès
permis sur %{Called-Station-SSID} "
                        }
                        ok
                        return
                } else {
                        update reply {
                                Reply-Message = "Hello %{User-Name}: Vous
n'avez pas accès"
                        }
                        reject
                }
####


- Is there any ways to use that "CALLED-STATION-SSID"? anywhere.... or,
where is it "usable".
- Is that kind of "mechanisme" the good way to go ?
- Is there a way to initialise a "global" variable, so that we can use it
"anywhere" ? (UNLANG)

Thanks in advance

Pierre de Jong
-.-.-.-.-.-.-.-.-.-.-

More information about the Freeradius-Users mailing list