Skip to content. | Skip to navigation

Personal tools

Sections
You are here: Home / Sonstiges / Usefull insigths / freeradius primary ldap gid per client

freeradius primary ldap gid per client

How to allow certain primary ldap groups on certain accesspoints with freerardius and tunneled eap sessions

The client is known to the outer (default) session, but the gid is only known to the inner (inner-html).

->add new dictionary entries

ATTRIBUTE williGID 3000 integer
ATTRIBUTE williAllowedGID 3001 integer

->add list of allowed gids in hints

DEFAULT NAS-IP-Address == 192.168.72.3
williAllowedGID = 1003,
williAllowedGID += 101

->get gid assigned in ldap module

control:williGID := 'gidNumber'

->check it in authorize part of inner.tunnel

if (&outer.request:williAllowedGID){

if (&outer.request:williAllowedGID[*] == &control:williGID){
noop
}
else{
reject
}