FreeRADIUS: forward Filter-ID as a variable to post authentication

Posted on by Dean Grant

I was recently looking at updating the post authentication process in FreeRADIUS to include the Filter-ID depending on membership of a UNIX group.  The conditional logic in this requirement is rather simple, it was only based on if the user was in the membership list of two groups, in this example I will just name these groups ‘group1’ and ‘group2’.

To set a variable to the UNIX group name if  the group match returned a true statement and to forward this value to the post authentication as an additional step to update the reply message to include the Filter-ID attribute in   I was required to edit ‘/etc/freeradius/sites-enabled/default’ to include the following:

authorize { 
....
unix 
files
if (Group-Name == "group1" { 
update control { 
Tmp-String-1 := "group1"
}
} 
elsif (Group-Name == "group2" { 
update control { 
Tmp-String-1 := "group2"
} 
} 
}

post-auth { 
....
exec 
update-reply { 
Filter-ID :="%{control:Tmp-String-1}"
} 
}

Once this has been updated, restart the FreeRADIUS service, to apply the changes.

Leave a comment