Request: How to implement SSID and group aware logic

Alan DeKok aland at deployingradius.com
Wed Jul 16 12:16:44 UTC 2025 

On Jul 15, 2025, at 2:04 PM, Taylor Gorman <taylorgorman at thecampusway.com> wrote:
> My questions:
> 
> 1. What file should I implement this in? I'm thinking "sites-available/google-ldap-auth" is the correct answer, but I'm not sure.

   Configuration doesn't go into "files".  It goes into specific locations, depending on what you need to do.  Module configuration is in mods-enabled/.  Virtual servers and policies are in sites-enabled/.

  It will be very hard to configure the server if those differences are unclear.

> 2. Should I attempt this in the authorize section, authenticate section, or post-auth section? I think it should go in the authorize section, but I'm not sure.

  The different sections do different things.  Their operation is documented in the comments in the virtual servers and online:

https://www.freeradius.org/documentation/freeradius-server/current/

> 3. Is this a use case for realms? I don't really understand realms at all.

   The realms are just domain names.

> What I want to happen:
> 
> 1. Supplicant attempts to connect with domain @thecampusway.com or @students.thecampusway.com
> 2. freeRADIUS checks what SSID the user is coming from
> 3. If supplicant connecting to SSID CampusInternal and has LDAP group "allstaff", then allow the connection. Else, reject the connection.
> 4. If supplicant is connecting to SSID CampusStudents and has LDAP group "wifistudents", then allow the connection. Else, reject.

  Writing that down is a good start.  Then, you need to read the debug output to see what attribute contains the SSID.  Then, write rules to match that.
> ...
> (0) Received Access-Request Id 80 from 71.59.46.3:57724 to 172.17.0.2:1812 length 279
> (0)   User-Name = "radiustest at thecampusway.com"
> (0)   NAS-IP-Address = 10.0.10.43
> (0)   NAS-Identifier = "default"
> (0)   Called-Station-Id = "78-8A-20-58-6E-4E:CampusInternal"

  That's contains the SSID.

> (0)             &Called-Station-SSID := CampusInternal

  That should be pretty clear.

  i.e. if you want to know where the SSID is, read the debug output, and look for "SSID".

  You will likely need to define realms, because LDAP lookups are probably done on the first part of User-Name: "radiustest", and not on the realm "thecampusway.com <http://thecampusway.com/>".

realm thecampusway.com {
}

realm students.thecampusway.com {
}


  You can then do:

	suffix	# look up realms, and split User-Name into "user" and "realm" portion

	if (&Called-Station-SSID := "CampusInternal") {
		if (&Realm  != "thecampusway.com <http://thecampusway.com/>") {   # logins must be staff!
			reject
		}

		if (&LDAP-Group == "allstaff") {
			# apply rules for staff

		} else {
			reject # nope, not for you!
		}
	}

  You can do a similar check for the "CampusStudents" SSID.

  Alan DeKok.

More information about the Freeradius-Users mailing list