Authenticate to AD but only allow certain group
Brian C. Huffman
bhuffman at etinternational.com
Fri Feb 7 18:54:21 CET 2014
On 02/04/2014 05:01 PM, Matthew Newton wrote:
> You mention you're doing wireless - you probably want the LDAP-Group
> check to be in the inner-tunnel post-auth section where the real user
> is known, not the default post-auth section. Matthew
Matt,
I'm not sure I follow. I tried to find a good explanation of the inner
tunnel. I read the section on virtual servers, but wasn't quite sure
how that applied.
I'm using MSCHAP / Samba winbind to do the authentication to a Wireless
AP. And I was looking to also verify that the user is a member of an AD
group ("Wireless Allowed") before providing an authentication success.
Can you explain why you suggested to use the inner tunnel? I'd just
removed that from my sites-enabled and everything seemed to be working.
Thanks,
Brian
More information about the Freeradius-Users
mailing list