post-auth help to simplify

Alan DeKok aland at deployingradius.com
Mon Aug 30 14:49:40 CEST 2021


On Aug 30, 2021, at 4:20 AM, Pizu <pizpower at gmail.com> wrote:
> Currently we have the below in the post-auth and I would like to simplify
> this.
> 
>       if (&LDAP-Group == "RSSO - Group - 01") {
>                update reply {
>                        &Tunnel-Type := "VLAN"
>                        &Tunnel-Medium-Type := "IEEE-802"
>                        &Tunnel-Private-Group-Id := "943"
>                        &Class := "RSSO-Group-01"
>                }
>        }
>        elsif (&LDAP-Group == " RSSO - Test - Group - 01 ") {
>                update Reply {
>                        &Tunnel-Type := "VLAN"
>                        &Tunnel-Medium-Type := "IEEE-802"
>                        &Tunnel-Private-Group-Id := "943"
>                        &Class := "RSSO-Test-Group-01"
>                }
>        }
> etc...

  Yeah, that's a lot of repetition.

> We have over 70 groups like this, the above is working but I'd like to
> minimize the changes on the freeradius configuration and was thinking of
> using regex but not sure if it's possible in my case.

  You can't use regexes for LDAP group matching.  That's because the user may be in many groups, so there may be many matches to the regular expression.

  Plus, why set a string value for Class?  The Class attribute is just an opaque token.  You could just as easily set it to 0x01, or 0x02.  There's no need to have a *printable* string.

  So the question is, are the users a member of only one LDAP group?  If so, then there are potential simplifications.  If the user is a member of multiple LDAP groups, then an if/then/else chain is really all you can do.

  Alan DeKok.




More information about the Freeradius-Users mailing list