Evaluate Ldap-Group and SSID for WiFi authorization
Alan DeKok
aland at deployingradius.com
Wed Aug 23 15:59:43 CEST 2017
On Aug 23, 2017, at 9:06 AM, Adam Cage <adamcage27 at gmail.com> wrote:
>
> People, good morning...I have a Freeradius with AD authentication and LDAP
> authorization working OK.
That's good.
> Now I have to authorize users that belong to GROUP1 and have SSID = Free, I
> have these definitions:
>
> - GROUP1 is a group defined in the AD
>
> - SSID comes with Called-Station-Id in the form MAC Address:SSID, for
> example "51:bc:11:e1:34:70:Free", and it's not defined i the AD
That's the standard way it's received, yes.
> - The clause defined in default and inner-tunnel files is:
>
> if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") {
No, that won't work. See "man unlang". The equality comparison == tests for *equality*. And the string "51:bc:11:e1:34:70:Free" isn't equal to the string ":Free"
You should use regular expressions instead: See the =~ operator.
> After testing, I fail and this is the debug:
>
> Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> group GROUP1
> Wed Aug 23 09:34:58 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
> Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) ->
> TRUE
> Wed Aug 23 09:34:58 2017 : Info: (Attribute Called-Station-Id was not
> found)
That's a different error.
It means that the Called-Station-ID attribute wasn't found... so you can't do matches on it.
Fix that problem first. You probably want:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/ ) {
Alan DeKok.
More information about the Freeradius-Users
mailing list