Trying to Authorize Users based on AD Groups and SSIDs

Misbah Hussaini misbhauddin at gmail.com
Thu Feb 16 14:12:11 CET 2017 

Dear Alan,

>The "if" condition doesn't match.  Why?  Go read the debug output.  Run
tests on each "if" check.  >*Understand* how the server works.

I changed the if condition to below but still the if condition is not
matching, I can confirm from logs that Called-Station-SSID is set to
SSID02362, what's wrong in the if condition?

 if (!State) {
                if ((Called-Station-SSID == "SSID02362") ) {
                        reject
                }
        }

Here is processing of rewrite statement from debug, full debug can be found
here -> http://pastebin.com/SuS2t9Er

 rewrite_called_station_id rewrite_called_station_id {
(8)     if (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)

(8)     if (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
-> TRUE
(8)    if (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
{
(8)     update request {
(8) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8)    --> 40-18-b1-8b-a7-54
(8)     Called-Station-Id := "40-18-b1-8b-a7-54"
(8)     } # update request = noop
(8)      if ("%{8}")
(8) EXPAND %{8}
(8)    --> SSID02362
(8)      if ("%{8}")  -> TRUE
(8)     if ("%{8}")  {
(8)      update request {
(8) EXPAND %{8}
(8)    --> SSID02362
(8)     Called-Station-SSID := "SSID02362"


Regards
Misbah

On 16 February 2017 at 16:51, Alan DeKok <aland at deployingradius.com> wrote:

> On Feb 16, 2017, at 2:12 AM, Misbah Hussaini <misbhauddin at gmail.com>
> wrote:lan,
> >
> >
> > Thanks for the reply, I have configured below code in top section of
> > authorize in inner tunnel config but all users are getting accessed to
> SSID
> > though debug shows a ldap check happening. You can check the debug from
> > pastebin here -> http://pastebin.com/1BXxxvtC
>
>   You can read it, too.
>
>   The "if" condition doesn't match.  Why?  Go read the debug output.  Run
> tests on each "if" check.  *Understand* how the server works.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list