Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at
Wed Apr 22 21:25:57 CEST 2015

In the current two scenarios both return Access-Accept.
1. Not using group options if I enter the wrong password the result is
Reject for any user in the LDAP database, and using the correct password
the result is Accept for any group.
2. Using group options, result is Reject if does not belong to the group,
but Accept to the users in the group even if they enter wrong password
because is not Authenticating.

What I need is get a result of Accept only if belongs to the group and
enter the correct password. In a way I could say that I need to Authorize
by Group and Authenticate by User.

On Wed, Apr 22, 2015 at 12:30 PM, Alan DeKok <aland at>

> On Apr 22, 2015, at 12:08 PM, Jose Torres-Berrocal <
> jetsystemservices at> wrote:
> > Here is the Debug output differences with some context lines.
>   It's still difficult to see what's going on.
> > As I said on previous email, when using group options I can see on the
> > debug that is not authenticating only authorizing, while not using group
> > options is indeed authenticating.  I can see that there is also something
> > different about PAP.
>   Both debug outputs return Access-Accept.
>   What's the problem?
>   Be SPECIFIC.  Don't just say "the output is different".  Say I expected
> it to do X, and it did Y instead".
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list