FreeRadius 3.0.13 - Using SSID to check AD groups
Brian Candler
b.candler at pobox.com
Tue Apr 4 11:24:18 CEST 2017
On 04/04/2017 09:30, Pierre de Jong wrote:
> We could see that is was working, in the "radiusd -X" output.
So please show us the radiusd -X output from an exchange where the
problem occurs.
> We encountered the following problem:
>
> UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"?
What's important is what attributes are in the incoming request, and
which attribute identifies the SSID the user is connecting to. This is
different depending on what AP you are using.
>
> - rewrite_called_station_id --> has been called in "authorized" that
> should "instantiate" the Called-Station-SSID
Only if your AP generates a Called-Station-ID attribute in the format
expected by that policy function. Does it? The freeradius -X output
would show this.
>
> post-auth {
> if (LDAP-Group ="grp-ssid-%{Called-Station-SSID}") {
> update reply {
> Reply-Message =Hello %{User-Name}: accès
> permis sur %{Called-Station-SSID} a"
> }
freeradius -X output would show what's happening. Note that the "="
operator is probably not what you want. And that the LDAP-Group
attribute is multi-valued so you want [*] to check for all values, not
just the first. And also, dependent on how you've configured your LDAP
lookup, the LDAP-Group attribtue is a "magic" attribute which may return
empty string unless you explicitly use the "&" prefix.
So I'd suggest writing it like this:
if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") {
...
}
HTH,
Brian.
More information about the Freeradius-Users
mailing list