Using Groups to Limit Authentication to Network Devices

Peter Lambrechtsen plambrechtsen at
Sat Mar 27 06:46:25 CET 2010

On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <doug at> wrote:

> I'm trying to setup freeradius to authenticate users via LDAP but pull
> group
> information via MySQL.  I currently only need radius for authentication to
> network devices (switches, PDUs, etc) but want to make sure I set it up so
> that I don't shoot myself in the foot later.
> In trying to get the correct attributes assigned to a group I've noticed
> that
> I need to set Fall-Through on each group that a user belongs to in order to
> have later groups evaluated.  Is there a better way that I can say
> something
> like, "this client should check for access from these groups" so that I
> only
> need to set Fall-Through on certain groups instead of all?

Why not just use LDAP all together for your group based auth.  This is how I
do it and it works well, and doesn't need any schema extensions.

Then all you have to do is modify the hostgroups & postauth_users file when
you add new NAS's.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list