FreeRadius 3.0.13 - Using SSID to check AD groups
Pierre de Jong
pierredejong at gmail.com
Fri Apr 7 16:00:07 CEST 2017
Hello Alan,
You are absolutely correct, and I would like to appologies...
Indeed, between two "mailing list" messages, we worked on the project, and
you are right, my "radiusd -X" output was not showing "wrong" things...
thus, not giving any ways to go "forward"... again, appologies.
Meanwhile, and juste if someone is "following" this, I was trying to use,
from memory (again, we "had" to go on that project, and conf changed a lot)
we where trying to use it in the "user" file. (authorize) but there, it was
not working,
And just to let "the mailing list" know, we (mostly my collegue who did a
great job) worked out what we needed...
We had quite some "reflexion" about the way to put in place the user -
user at dom.priv - dom\user - dom.priv\user to be able to connect...
And the "AD nested group" check needed also some "time" to found the right
modification in the ldap group
So, Alan, I know you know you are, but I want to tell anyway: you were
totally right, and I thank you for the "slap in my face" ...
If anyone has questions, or is "interested" on what has been put in place,
do not hesitate ... IF i can, It will be a pleasure to help.
Wish you all a great day.
Pierre de Jong
-.-.-.-.-.-.-.-.-.-.-
2017-04-05 16:54 GMT+02:00 Alan DeKok <aland at deployingradius.com>:
> On Apr 5, 2017, at 10:27 AM, Pierre de Jong <pierredejong at gmail.com>
> wrote:
> >
> > As promised, I send you an radiusd -X output. complete.
> > I see that straight at the beginning, policy rewrite_called_station_id
> is
> > done.
> >
> > --> EXPAND %{Called-Station-SSID}
> > (0) --> TSSID1
> >
> >
> > even with that, as I said, I cannot use that "%{Called-Station-SSID}
> > anywhere else than in "post-auth"...
>
> That's just not true. If Called-Station-SSID exists, you can use it.
> If it doesn't exist, you can't use it. The debug log shows when and where
> it exists.
>
> > Is that normal?
> >
> > Do you see "horror" in those logs ? :-D
>
> The debug log shows:
>
> 1) Called-Station-SSID being used by the rewrite_called_station_id policy
>
> 2) Called-Station-SSID being used in post-auth
>
> If you want to show that it's not available elsewhere, you have to post
> a debug log where you try to USE IT elsewhere, and then show it doesn't
> work.
>
> Right now, the debug log shows nothing useful.
>
> Please also go back and read my previous message. You need to READ the
> debug log, and you need to understand what you're editing.
>
> I said: * My guess is that you're trying to expand it in the
> "inner-tunnel" virtual server, *
>
> Are you doing that? WHERE are you trying to use it?
>
> Again, all you're doing is saying "it works here", and posting debug
> logs showing it works there. You're not saying where else it doesn't work
> (other than "everywhere", which is unhelpful), and you're not showing the
> debug logs of you trying to use it elsewhere.
>
> This is basic debug methods. Ask good questions, tell people what
> you're doing, compare what you've done to what happens...
>
> Alan DeKok.
>
>
More information about the Freeradius-Users
mailing list