Trying to Authorize Users based on AD Groups and SSIDs
Misbah Hussaini
misbhauddin at gmail.com
Thu Feb 16 18:45:53 CET 2017
Thanks for pointer, changing the condition to below worked, but im a uable
to figure out how to do ldap-group lookups inside inner tunnel config? I
have tried to do the ldap lookup inside default config by removing the if
condition from inner tunnel and adding to default but still it fails.
If (outer.Called-Station-SSID != "SSID02362") {
Reject
}
On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin at quarantainenet.nl>
wrote:
> On 16-02-17 14:12, Misbah Hussaini wrote:
> > Dear Alan,
> >
> >> The "if" condition doesn't match. Why? Go read the debug output. Run
> > tests on each "if" check. >*Understand* how the server works.
> >
> > I changed the if condition to below but still the if condition is not
> > matching, I can confirm from logs that Called-Station-SSID is set to
> > SSID02362, what's wrong in the if condition?
> >
> > if (!State) {
> > if ((Called-Station-SSID == "SSID02362") ) {
> > reject
> > }
> > }
> >
> > Here is processing of rewrite statement from debug, full debug can be
> found
> > here -> http://pastebin.com/SuS2t9Er
>
> You're changing the Called-Station-SSID in the outer tunnel (line 1848),
> then send a tunneled request (line 1911) with only a few attributes. The
> check is performed in the inner tunnel, and can't find the
> Called-Station-SSID.
>
> Possible solutions:
> - Perform the check in the outer tunnel
> - Write to/Read from session-state:Called-Station-SSID
> - Use outer:request:Called-Station-SSID (or whatever the exact syntax
> was) to use the outer request.
>
> --
> Herwin Weststrate
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list