Trying to Authorize Users based on AD Groups and SSIDs

Herwin Weststrate herwin at
Thu Feb 16 14:22:45 CET 2017

On 16-02-17 14:12, Misbah Hussaini wrote:
> Dear Alan,
>> The "if" condition doesn't match.  Why?  Go read the debug output.  Run
> tests on each "if" check.  >*Understand* how the server works.
> I changed the if condition to below but still the if condition is not
> matching, I can confirm from logs that Called-Station-SSID is set to
> SSID02362, what's wrong in the if condition?
>  if (!State) {
>                 if ((Called-Station-SSID == "SSID02362") ) {
>                         reject
>                 }
>         }
> Here is processing of rewrite statement from debug, full debug can be found
> here ->

You're changing the Called-Station-SSID in the outer tunnel (line 1848),
then send a tunneled request (line 1911) with only a few attributes. The
check is performed in the inner tunnel, and can't find the

Possible solutions:
- Perform the check in the outer tunnel
- Write to/Read from session-state:Called-Station-SSID
- Use outer:request:Called-Station-SSID (or whatever the exact syntax
  was) to use the outer request.

Herwin Weststrate

More information about the Freeradius-Users mailing list