Trying to Authorize Users based on AD Groups and SSIDs

Misbah Hussaini misbhauddin at gmail.com
Thu Feb 16 08:12:46 CET 2017


Hi Alan,

Thanks for the reply, I have configured below code in top section of
authorize in inner tunnel config but all users are getting accessed to SSID
though debug shows a ldap check happening. You can check the debug from
pastebin here -> http://pastebin.com/1BXxxvtC

  if (!State) {
                if ((Called-Station-SSID == "SSID02362") && (LDAP-Group !=
"FR-TEST")) {
                        reject
                }
        }

The rewrite attribute for getting SSID is Called-Station-SSID and not
Calling-Station-SSID as mentioned in canonicalization file.

Regards
Misbah

On 15 February 2017 at 20:47, Misbah Hussaini <misbhauddin at gmail.com> wrote:

> Dear,
>
> I'm trying to configure PEAP Authentication with AD backend on my FR
> Server which is running version 3.0.4 on Centos 7. So far, I'm able to
> authenticate against AD but group membership checking is not working,
> appreciate if some help can be provided.
>
> I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that
> users in specific groups can access that particular SSID. As mentioned in
> man page of rlm_ldap I have configured group membership check in post-auth
> by adding below configuration in default and inner-tunnel config files but
> my users are getting access-reject messages. If I remove the ldap-group
> check config then all users are able to authenticate and access SSID, off
> course without any control.
>
> post-auth {
> if (LDAP-Group == "FR-TEST") {
>         noop
>         }
>         else {
>         reject
>         }
> }
>
> if group membership works then I can go ahead and add below config to test
> SSID with Group membership. (this is not one yet).
>
> post-auth {
> if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") {
>         noop
>         }
>         else {
>         reject
>         }
> }
>
> Where am I going wrong?
>
> Debug can be found here -> http://pastebin.com/zSptQPaa
>
>
> Regards
> Misbah
>
>
>


More information about the Freeradius-Users mailing list