Freeradius 2.2.5 Access by SSID

Matthew Newton matthew at newtoncomputing.co.uk
Wed Aug 9 23:32:13 CEST 2017


On Wed, Aug 09, 2017 at 12:57:16PM -0300, Alejandro Cabrera Obed wrote:
> According to your response, I see I have to configure the
> /etc/freeradius/modules/ldap file with my AD parameteres (IP, port,
> user/pass for query, etc).

Yes. And the group settings so it knows how to query groups
correctly.

> 1) Do I have to add a new attribute in the AD for each user, with a SSID
> field in order to check it through LDAP lookup ?

No, you can add the users to an AD group. Then you check the user
is in that group, for a certain condition.

So if you add user 'bob' to group 'sales', and configure the
group settings in ldap correctly, you can do something like

if (Ldap-group == 'sales') {
 ...
}

Ldap-group is a "magic" attribute which will trigger an ldap
lookup behind the scenes. The mods-enabled/ldap config has the
settings to tell the ldap module to look up the User-Name
attribute, hence it will look up 'bob' (User-Name) in 'sales'
(from the if statement).

> 2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and
> !(Ldap-Group == "group-ssid-one")) {reject}" sentence ?

sites-enabled/default (or sometimes sites-enabled/inner-tunnel, depending
on what you're doing), likely in the authorize section, or the
post-auth section.

> 3) What do I have to fill the Ldap-group attribute in my users file, If I
> want to check SSID attribute and after that compare it with the SSID coming
> into "Called-id-station"???

I wouldn't do it in your users file. Use unlang in the
sites-enabled/ file as described above. The wiki page does give
examples of this.

-- 
Matthew


More information about the Freeradius-Users mailing list