Authenticate to AD but only allow certain group
Brian C. Huffman
bhuffman at etinternational.com
Tue Feb 4 21:30:34 CET 2014
On 02/03/2014 04:47 PM, Matt Zagrabelny wrote:
> On Mon, Feb 3, 2014 at 3:33 PM, Brian C. Huffman
> <bhuffman at etinternational.com> wrote:
>> Which file and section should this go in?
> I use FR from the Debian packages, so I am not exactly sure where your
> installed configs are. Here is where I would put it:
>
> /etc/freeradius/sites-available/default
>
> in the post-auth section:
>
> post-auth {
> if ((Packet-Src-IP == 1.2.3.4) && !(LDAP-Group == "allowed-for-wireless)) {
> reject
> }
>
> .
That works, but I still need to instantiate the ldap module. If I do it
in post-auth, I get this error:
/etc/raddb/sites-enabled/default[490]: "LDAP" modules aren't allowed in
'post-auth' sections -- they have no such method.
But I don't want to use ldap for authentication since I'm using mschap.
Where should I do the initial call for ldap?
Thanks,
Brian
More information about the Freeradius-Users
mailing list