Re: Deny AD groups

Alan DeKok <aland@deployingradius.com> · Thu, 01 May 2008 18:49:12 +0200

rmp dmd wrote:
> I have a security group in AD 'noremote' that I would like to deny VPN
> access. 
>  
> Reading the FAQ, I edit users to include
>  
> DEFAULT Group == "noremote", Auth-Type := Reject
>                 Reply-Message = "Your account is not allowed."
> but this doesn't work.

  The "Group" attribute is for UNIX groups.  i.e. /etc/group.

  If you want to check an LDAP group, use the LDAP-Group attribute.
This isn't well documented...

  Alan DeKok.