joao...@gmail.com <joao...@gmail.com> wrote: > > This model is funcionaƧ, however have a problem (very serious), Radius does > not know from which SSID the client is trying to authenticate, or whether it > decides the basis solely of the Realm authentication of the client. I need > to make the Radius check the VLAN that is associated with the request for > user authentication. Check through the debug radius that an Access-Request > packet has the following information: > > ... > rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, > length=184 > User-Name = "joao@fpti" > Calling-Station-Id = "68-a3-c4-85-c5-89" > Called-Station-Id = "00-26-cb-94-65-60:FPTI" > NAS-Port = 29 > NAS-IP-Address = 192.168.254.48 > NAS-Identifier = "WLC-PTI" > Airespace-Wlan-Id = 1 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > * Tunnel-Private-Group-Id:0 = "5"* > string != integer
Tunnel-Private-Group-Id is a string. I have to do a similar thing to map a silly attribute coughed up by Cisco's useless WLC: ---- policy.conf ---- rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") { switch "%{Airespace-Wlan-Id}" { case "1" { update request { NAS-Port-Id := "eduroam" } } case "5" { update request { NAS-Port-Id := "UTILICOM" } } case "6" { update request { NAS-Port-Id := "BTOpenzone" } } case "7" { update request { NAS-Port-Id := "soas-wpa-psk" } } case { update request { NAS-Port-Id := "UNKNOWN" } } } ... } ---- You should use (I am almost certain you should not be looking at tagged attributes, so drop the ':0' too): ---- notice the "...." ---- if (Tunnel-Private-Group-Id == "5") { [stuff] } ---- Cheers -- Alexander Clouter .sigmonster says: Do not apply to broken skin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html