Authenticate to AD but only allow certain group

Alan DeKok aland at deployingradius.com
Mon Feb 3 22:18:44 CET 2014


Brian C. Huffman wrote:
> I would prefer to have this happen only when requests come from a
> specific client (wireless access point).  In this case the idea is to
> have users only be able to get wireless access when they're in a
> specific AD group.
> 
> How can I do this in freeradius?

  If they're using wireless, and they're NOT in the group, reject.

  Use the source IP for wireless access.  Use LDAP-Group for the group
checks.


	if ((Packet-Src-IP == 1.2.3.4) &&
            !(LDAP-Group == "allowed-for-wireless)) {
		reject
	}

  Alan DeKok.


More information about the Freeradius-Users mailing list