Hello listmembers, In my testing environment I set up a virtual freeradius 2.1.12 server, which is configured to do ntlm_auth for authentication and ldap authorization against Microsoft AD. These are my ldap groups: - cn=radius.users,ou=Groups,dc=test,dc=local (only users within this group are allowed to authenticate against AD) - cn=alu.rw,ou=Groups,dc=test,dc=local (read-write group for alcatel-lucent devices) - cn=alu.ro,ou=Groups,dc=test,dc=local (read-only group for alcatel-lucent devices) - cn=netscreen.rw,ou=Groups,dc=test,dc=local (read-write group for juniper netscreen devices) - cn=netscreen.ro,ou=Groups,dc=test,dc=local (read-only group for juniper netscreen devices) - cn=nsm.rw,ou=Groups,dc=test,dc=local (read-write group for juniper nsm) - cn=nsm.ro,ou=Groups,dc=test,dc=local (read-only group for juniper nsm) - cn=aruba.rw,ou=Groups,dc=test,dc=local (read-write group for aruba devices) - cn=aruba.ro,ou=Groups,dc=test,dc=local (read-only group for aruba devices) I wrote unlang code in the authorize section of virtual server "default" (will post this later) - if a AD user is member of the radius.user I set Auth-Type to "ntlm_auth" - if a AD user is member of a device group above freeradius will add the appropriate return attributes to the access-accept packet. - if a AD user ist member of a read-write and a read-only group at once the user will be rejected because I assume this will be a configuration mistake. This is working so far very well but there is another advantage: Here are several devices which only support telnet access (yes, I know I have to get rid of them as soon as possible). In my point of view it would be fatal to logon to those devices with the active directory account. What I have done for now to authenticate non AD users only for these devices: - define these users in users file - create a huntgroup telnet with all the NAS-IP-Addresses of these devices - create unlang code to set Auth-Type to PAP if a radius request is received with one NAS-IP-Address defined in the huntgroup unlang code below "preprocess" (authorize section of virtual server "default): if(Huntgroup-Name == xos) { update control { Auth-Type = pap } } unlang code below "ldap" (authorize section of virtual server "default): # reject users which are member of a read-only and a read-write group if(Ldap-Group == "cn=alu.rw,ou=Groups,dc=test,dc=local" && Ldap-Group == "cn=alu.ro,ou=Groups,dc=test,dc=local") { reject } elsif(Ldap-Group == "cn=netscreen.rw,ou=Groups,dc=test,dc=local" && Ldap-Group == "cn=netscreen.ro,ou=Groups,dc=test,dc=local") { reject } elsif(Ldap-Group == "cn=nsm.rw,ou=Groups,dc=test,dc=local" && Ldap-Group == "cn=nsm.ro,ou=Groups,dc=test,dc=local") { reject } elsif(Ldap-Group == "cn=aruba.rw,ou=Groups,dc=test,dc=local" && Ldap-Group == "cn=aruba.ro,ou=Groups,dc=test,dc=local") { reject } # Allow only members of AD-Group "cn=radius.users,ou=Groups,dc=test,dc=local" to authenticate against AD! if(Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") { update control { Auth-Type = ntlm_auth } # # Return-Attribute Section # # Return appropriate return attributes to members of "cn=alu.rw,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=alu.rw,ou=Groups,dc=test,dc=local") { update reply { Alcatel-Access-Priv = Alcatel-Read-Priv Alcatel-Access-Priv += Alcatel-Write-Priv Alcatel-Access-Priv += Alcatel-Admin-Priv Alcatel-Acce-Priv-F-W1 := 0xffffffff Alcatel-Acce-Priv-F-W2 := 0xffffffff Alcatel-Asa-Access := All Service-Type := 6 } } # Return appropriate return attributes to members of "cn=alu.ro,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=alu.ro,ou=Groups,dc=test,dc=local" && !Ldap-Group == "cn=alu.rw,ou=Groups,dc=test,dc=local") { update reply { Alcatel-Access-Priv := Alcatel-Read-Priv Alcatel-Acce-Priv-F-R1 := 0xFFFFFFFF Alcatel-Acce-Priv-F-R2 := 0xFFFFFFFF Alcatel-Acce-Priv-F-W1 := 0x0000000A Alcatel-Acce-Priv-F-W2 := 0x00000000 Alcatel-Asa-Access := all } } # Return appropriate return attributes to members of "cn=netscreen.rw,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=netscreen.rw,ou=Groups,dc=test,dc=local") { update reply { NS-Admin-Privilege := Root-Admin } } # Return appropriate return attributes to members of "cn=netscreen.ro,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=netscreen.ro,ou=Groups,dc=test,dc=local" && !Ldap-Group == "cn=netscreen.rw,ou=Groups,dc=test,dc=local") { update reply { NS-Admin-Privilege := Read-Only-Admin } } # Return appropriate return attributes to members of "cn=nsm.rw,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=nsm.rw,ou=Groups,dc=test,dc=local") { update reply { NS-NSM-User-Domain-Name := global NS-NSM-User-Role-Mapping := "global:System Administrator" } } # Return appropriate return attributes to members of "cn=nsm.ro,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=nsm.ro,ou=Groups,dc=test,dc=local" && !Ldap-Group == "cn=nsm.rw,ou=Groups,dc=test,dc=local") { update reply { NS-NSM-User-Domain-Name := global NS-NSM-User-Role-Mapping := "global:Read-Only System Administrator" } } # Return appropriate return attributes to members of "cn=aruba.rw,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=aruba.rw,ou=Groups,dc=test,dc=local") { update reply { Aruba-Admin-Role := root Aruba-Priv-Admin-User := 1 } } # Return appropriate return attributes to members of "cn=aruba.ro,ou=Groups,dc=test,dc=local" if(Ldap-Group == "cn=aruba.ro,ou=Groups,dc=test,dc=local" && !Ldap-Group == "cn=aruba.rw,ou=Groups,dc=test,dc=local") { update reply { Aruba-Admin-Role := read-only } } } This is working quite well. An AD user can't logon to a telnet device because the Auth-Type is set to PAP. A local user defined in users file can't logon to any other device than the telnet ones cause of the Huntgroup restriction: xosadmin Huntgroup-Name == xos, Cleartext-Password := "testpw" Now I'm coming closer to my questions. When a local user logon to a telnet device freeradius does all the ldap membership queries. When an AD user will logon to a telnet device freeradius also does all the ldap membership queries. Q1: Can I abbreviate this process that when a local user wants access to a telnet device the ldap queries will be skipped? Q2: Is there a smarter way to reject a local user immediately when he wants to logon to a non telnet device? Q3: Is there a smarter way to reject an AD user immediately when he wants to logon to a telnet device? Q4: Are there any tweaking capabilities to my unlang code to make it smarter or more hardened? Q5: Can I abbreviate any code snippets like using a switch/case block or use variables or anything I don't know? Q6: Are the positions of the unlang code in the authorize section correct? Thanks in advance for any help and hints. Regards, Tobias Hachmer