Ldap Huntgroup 'Reject' issue

Alan DeKok aland at deployingradius.com
Thu Nov 26 15:52:57 CET 2020

On Nov 25, 2020, at 11:20 PM, Kaya Saman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Many thanks Alan for the great guidance! :-)

  You're welcome.  Despite rumours to the contrary, I do help people.

> As per your instructions I created an Attribute in the dictionary file called 'Ldap-Locality'. I swapped all the cases of 'Huntgroup-Name' out and replaced them with 'Ldap-Locality'. Everything worked fine though the initial issue persists.


> Currently I am converting the authorize file entries to unlang. I have a few quick questions:
> 1. Do I need to add the unlang checks to both 'default' and 'inner-tunnel' files?

  It depends what you want to do...

  Generally for 802.1X, the *real* user name isn't visible in the "default" server, but only in the "inner-tunnel" server.  So you have to put the rules there.

  Then, see the "inner-tunnel" server, and look for "use_tunneled_reply".  You can copy the attributes from the inner reply to the outer one.

> 2. Will FR see more then 1 value in the LocalityName field on the ldap server once the NAS entry is matched in the ldap path?

  It depends on how you configured it.  If you add more than one attribute, then yes, it will see more than one attribute.

> 3. Currently I have added this snippet as a test in 'default':
> authorize {
>         update request {
>                 Ldap-Locality =...
>                 Ldap-Locality +=...
>         }
>         if (Ldap-Locality == "<LocalityName_string>") {
>                 if (Ldap-Group == "<group path>") {
>                         update reply {
>                                 NAS-Port-Type = "Wireless-802.11",
>                                 Airespace-QOS-Level = 3
>                         }
>                 }
>         }
> Is the 'update reply' portion correct as I am not seeing the Airespace-QOS-Level in the rad response from radiusd -X output?

  Read the debug log in DETAIL.  It will print out when it runs that "authorize" section.  it will print out each "update" section, and each "if" section.

  DON'T just look at the final Access-Accept.  Doing so is an utter waste of time.  It's like driving randomly for 3 hours with your eyes closed, then opening them and wondering why you're not home.  You have to look at each individual bit along the way to see what's going on.

  The same goes for the debug output.  Read it.  ALL of it.  Go over it slowly, looking for configuration bits you added.  Then, see if it's doing what you think it's doing.

  Alan DeKok.

More information about the Freeradius-Users mailing list