FreeRadius 3.0.13 - Using SSID to check AD groups

Brian Candler b.candler at
Tue Apr 4 11:24:18 CEST 2017

On 04/04/2017 09:30, Pierre de Jong wrote:
> We could see that is was working, in the "radiusd -X" output.
So please show us the radiusd -X output from an exchange where the 
problem occurs.

> We encountered the following problem:
> UNABLE to use "%{Called-Station-SSID}"  (nor %Called-Station-SSID)
What do you mean by "unable to use"?

What's important is what attributes are in the incoming request, and 
which attribute identifies the SSID the user is connecting to. This is 
different depending on what AP you are using.

> - rewrite_called_station_id   --> has been called in "authorized" that
> should "instantiate" the Called-Station-SSID
Only if your AP generates a Called-Station-ID attribute in the format 
expected by that policy function.  Does it? The freeradius -X output 
would show this.

> post-auth {
>                  if (LDAP-Group ="grp-ssid-%{Called-Station-SSID}") {
>                          update reply {
>                                  Reply-Message =Hello %{User-Name}: accès
> permis sur %{Called-Station-SSID} a"
>                          }

freeradius -X output would show what's happening. Note that the "=" 
operator is probably not what you want.  And that the LDAP-Group 
attribute is multi-valued so you want [*] to check for all values, not 
just the first. And also, dependent on how you've configured your LDAP 
lookup, the LDAP-Group attribtue is a "magic" attribute which may return 
empty string unless you explicitly use the "&" prefix.

So I'd suggest writing it like this:

if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") {



More information about the Freeradius-Users mailing list