FreeRADIUS: forward Filter-ID as a variable to post authentication

I was recently looking at updating the post authentication process in FreeRADIUS to include the Filter-ID depending on membership of a UNIX group.  The conditional logic in this requirement is rather simple, it was only based on if the user was in the membership list of two groups, in this example I will just name these groups ‘group1’ and ‘group2’.

To set a variable to the UNIX group name if  the group match returned a true statement and to forward this value to the post authentication as an additional step to update the reply message to include the Filter-ID attribute in   I was required to edit ‘/etc/freeradius/sites-enabled/default’ to include the following:

authorize { 
if (Group-Name == "group1" { 
update control { 
Tmp-String-1 := "group1"
elsif (Group-Name == "group2" { 
update control { 
Tmp-String-1 := "group2"

post-auth { 
update-reply { 
Filter-ID :="%{control:Tmp-String-1}"

Once this has been updated, restart the FreeRADIUS service, to apply the changes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s