Hi I am using FreeRadius 3 to authenicate Wifi users with WPA2 enterprise which are then checked in a OpenLDAP directory. This is working fine as long as I accept that all users in base_dn = 'ou=People,dc=example,dc=se' can use the Wifi. To guard againt this I have worked to implement LDAP Group checking in FreeRadius 3 and this seems not to to be working. Even if I mess up the filter settings under the ”Group” section in /usr/local/etc/raddb/mods-enabled/ldap, FreeRadius gladly accepts the user as long as the user/password is OK. The Group section does not seem to affect the process at all. I am using FreeRadius 3.0.12 and OpenLDAP 2.4.44 which are running happily on FreeBSD 10.3 i386. Best Regards Stefan Sundberg User section of the FreeRadius ldap file: user { # Where to start searching in the tree for users base_dn = 'ou=People,dc=example,dc=se' # Filter for user objects, should be specific enough # to identify a single user object. # # For Active Directory, you should use # "samaccountname=" instead of "uid=" # filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } Group section of the FreeRadius ldap file: group { # Where to start searching in the tree for groups base_dn = 'ou=Groups,dc=example,dc=se' # Filter for group objects, should match all available # group objects a user might be a member of. # Radius is an existing LDAP Group under 'ou=Groups,dc=example,dc=se' filter = '(cn=Radius)' # Attribute that uniquely identifies a group. # Is used when converting group DNs to group # names. name_attribute = cn # Filter to find group objects a user is a member of. # That is, group objects with attributes that # identify members (the inverse of membership_attribute). membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" # The attribute in user objects which contain the names # or DNs of groups a user is a member of. # Unless a conversion between group name and group DN is # needed, there's no requirement for the group objects # referenced to actually exist. membership_attribute = 'memberUid' } Debug print of radiusd -X: (0) Received Access-Request Id 48 from 192.168.5.250:3759 to 192.168.5.249:1812 length 117 (0) User-Name = "myuser" (0) Acct-Session-Id = "1481748386W82ujh" (0) NAS-IP-Address = 127.0.0.1 (0) NAS-Identifier = "Localhost" (0) NAS-Port = 0 (0) Calling-Station-Id = "1115551212" (0) User-Password = "password" (0) Message-Authenticator = 0x5e20b42290bb652cd15b5355b41d0b4d (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "myuser", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=myuser) (0) ldap: Performing search in "ou=People,dc=example,dc=se" with filter "(uid=myuser)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "uid=myuser,ou=People,dc=example,dc=se" (0) ldap: Processing user attributes (0) ldap: control:Password-With-Header += 'password' rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) [expiration] = noop (0) [logintime] = noop (0) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (0) pap: Removing &control:Password-With-Header (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Login OK: [myuser/password] (from client ts01 port 0 cli 1115551212) (0) Sent Access-Accept Id 48 from 192.168.5.249:1812 to 192.168.5.250:3759 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 48 with timestamp +33 Ready to process requests