FreeRadius 3.0.13 - Using SSID to check AD groups

Pierre de Jong pierredejong at
Fri Apr 7 16:00:07 CEST 2017

Hello Alan,

You are absolutely correct, and I would like to appologies...

Indeed, between two "mailing list" messages, we worked on the project, and
you are right, my "radiusd -X" output was not showing "wrong" things...
thus, not giving any ways to go "forward"... again, appologies.

Meanwhile, and juste if someone is "following" this, I was trying to use,
from memory (again, we "had" to go on that project, and conf changed a lot)
we where trying to use it in the "user" file. (authorize) but there, it was
not working,

And just to let "the mailing list" know, we (mostly my collegue who did a
great job) worked out what we needed...

We had quite some "reflexion" about the way to put in place the user -
user at dom.priv - dom\user - dom.priv\user to be able to connect...

And the "AD nested group" check needed also some "time" to found the right
modification in the ldap group

So, Alan, I know you know you are, but I want to tell anyway: you were
totally right, and I thank you for the "slap in my face" ...

If anyone has questions, or is "interested" on what has been put in place,
do not hesitate ... IF i can, It will be a pleasure to help.

Wish you all a great day.

Pierre de Jong

2017-04-05 16:54 GMT+02:00 Alan DeKok <aland at>:

> On Apr 5, 2017, at 10:27 AM, Pierre de Jong <pierredejong at>
> wrote:
> >
> > As promised, I send you an radiusd -X output. complete.
> > I see that straight at the beginning,  policy rewrite_called_station_id
> is
> > done.
> >
> > --> EXPAND %{Called-Station-SSID}
> > (0)                --> TSSID1
> >
> >
> > even with that, as I said, I cannot use that "%{Called-Station-SSID}
> > anywhere else than in "post-auth"...
>   That's just not true.  If Called-Station-SSID exists, you can use it.
> If it doesn't exist, you can't use it.  The debug log shows when and where
> it exists.
> > Is that normal?
> >
> > Do you see "horror" in those logs ? :-D
>   The debug log shows:
> 1) Called-Station-SSID being used by the rewrite_called_station_id policy
> 2) Called-Station-SSID being used in post-auth
>   If you want to show that it's not available elsewhere, you have to post
> a debug log where you try to USE IT elsewhere, and then show it doesn't
> work.
>   Right now, the debug log shows nothing useful.
>   Please also go back and read my previous message.  You need to READ the
> debug log, and you need to understand what you're editing.
>   I said: * My guess is that you're trying to expand it in the
> "inner-tunnel" virtual server, *
>   Are you doing that?  WHERE are you trying to use it?
>   Again, all you're doing is saying "it works here", and posting debug
> logs showing it works there.  You're not saying where else it doesn't work
> (other than "everywhere", which is unhelpful), and you're not showing the
> debug logs of you trying to use it elsewhere.
>   This is basic debug methods.  Ask good questions, tell people what
> you're doing, compare what you've done to what happens...
>   Alan DeKok.

More information about the Freeradius-Users mailing list