Trying to Authorize Users based on AD Groups and SSIDs

Alan DeKok aland at
Thu Feb 16 14:18:57 CET 2017

On Feb 16, 2017, at 8:12 AM, Misbah Hussaini <misbhauddin at> wrote:
> Dear Alan,
>> The "if" condition doesn't match.  Why?  Go read the debug output.  Run
> tests on each "if" check.  >*Understand* how the server works.
> I changed the if condition to below but still the if condition is not
> matching, I can confirm from logs that Called-Station-SSID is set to
> SSID02362, what's wrong in the if condition?
> if (!State) {
>                if ((Called-Station-SSID == "SSID02362") ) {
>                        reject
>                }
>        }
> Here is processing of rewrite statement from debug, full debug can be found
> here ->

  The server receives multiple packets.  Is that re-write piece being run in the same packet as the one doing the check?

  Did you set "copy_request_to_tunnel" in raddbs/mods-enabled/eap?

  If not, did you check the *outer* version of Called-Station-SSID?  i.e. "outer.request:Called-Station-SSID"?  See "man unlang" for details.

  Again, you need to pay attention, and to understand how the server works.  RADIUS isn't a simple protocol like DNS or DHCP.  There are many pieces, and many more possibilities.  Understanding how it works is crucial for fixing any issue.

  Alan DeKok.

More information about the Freeradius-Users mailing list