Hi Alan, Thanks for the reply, I have configured below code in top section of authorize in inner tunnel config but all users are getting accessed to SSID though debug shows a ldap check happening. You can check the debug from pastebin here -> http://pastebin.com/1BXxxvtC if (!State) { if ((Called-Station-SSID == "SSID02362") && (LDAP-Group != "FR-TEST")) { reject } } The rewrite attribute for getting SSID is Called-Station-SSID and not Calling-Station-SSID as mentioned in canonicalization file. Regards Misbah On 15 February 2017 at 20:47, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Dear,
I'm trying to configure PEAP Authentication with AD backend on my FR Server which is running version 3.0.4 on Centos 7. So far, I'm able to authenticate against AD but group membership checking is not working, appreciate if some help can be provided.
I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that users in specific groups can access that particular SSID. As mentioned in man page of rlm_ldap I have configured group membership check in post-auth by adding below configuration in default and inner-tunnel config files but my users are getting access-reject messages. If I remove the ldap-group check config then all users are able to authenticate and access SSID, off course without any control.
post-auth { if (LDAP-Group == "FR-TEST") { noop } else { reject } }
if group membership works then I can go ahead and add below config to test SSID with Group membership. (this is not one yet).
post-auth { if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") { noop } else { reject } }
Where am I going wrong?
Debug can be found here -> http://pastebin.com/zSptQPaa
Regards Misbah