Active directory integration and grant access base on AD group membership

Alan DeKok aland at deployingradius.com
Tue Feb 14 18:03:38 CET 2017


On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster at gmail.com> wrote:
> 
> Thanx Matthew,
> I already had a look at that url but look like it doesn't work.

  It works if you follow the documentation.

> must be
> something I am not doing right .. but unsure what ..
> 
> I have create a huntgroup which look like this ..
> 
> wireless         NAS-IP-Address == 10.1.0.81
> 
> and my users file only has the following line in it ..
> 
> DEFAULT    Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
> 
> So my understand is that users that aren't member of the wireless-users
> group shouldn't be granted access to the wireless network/device. But that
> isn't what happenning .. everyone is granted access

  That's not how the "users" file works.  Please read the documentation to see how it works.

  That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match.  It doesn't *do* anything if they match, or if they don't match.

  You should write your policies in "unlang".  It's clearer:

authorize {
	...

	# check only the first packet of EAP, and all non-EAP
	if (!&EAP-Message || !State) {
		if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) {
			reject
		}
	}

  It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works.

  Alan DeKok.




More information about the Freeradius-Users mailing list