Trying to Authorize Users based on AD Groups and SSIDs
Herwin Weststrate
herwin at quarantainenet.nl
Thu Feb 16 14:22:45 CET 2017
On 16-02-17 14:12, Misbah Hussaini wrote:
> Dear Alan,
>
>> The "if" condition doesn't match. Why? Go read the debug output. Run
> tests on each "if" check. >*Understand* how the server works.
>
> I changed the if condition to below but still the if condition is not
> matching, I can confirm from logs that Called-Station-SSID is set to
> SSID02362, what's wrong in the if condition?
>
> if (!State) {
> if ((Called-Station-SSID == "SSID02362") ) {
> reject
> }
> }
>
> Here is processing of rewrite statement from debug, full debug can be found
> here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848),
then send a tunneled request (line 1911) with only a few attributes. The
check is performed in the inner tunnel, and can't find the
Called-Station-SSID.
Possible solutions:
- Perform the check in the outer tunnel
- Write to/Read from session-state:Called-Station-SSID
- Use outer:request:Called-Station-SSID (or whatever the exact syntax
was) to use the outer request.
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list