On Feb 15, 2017, at 11:47 AM, Misbah Hussaini <misbhauddin@gmail.com> wrote:
I'm trying to configure PEAP Authentication with AD backend on my FR Server which is running version 3.0.4 on Centos 7. So far, I'm able to authenticate against AD but group membership checking is not working, appreciate if some help can be provided.
Group membership checking *should* be just LDAP group checking. And that's well documented in the wiki.
I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that users in specific groups can access that particular SSID. As mentioned in man page of rlm_ldap I have configured group membership check in post-auth by adding below configuration in default and inner-tunnel config files but my users are getting access-reject messages. If I remove the ldap-group check config then all users are able to authenticate and access SSID, off course without any control.
You need to check the inner identity against the group, which means checking it in the inner tunnel.
post-auth { if (LDAP-Group == "FR-TEST") { noop } else { reject } }
That's overly complex. Why not just "if group, reject"? Why the extra "noop" ? In the "inner-tunnel" virtual server, do: authorize { ... if (!State) { if ((Calling-Station-SSID == "SSID02362") && (LDAP-Group != "SSID02362")) { reject } ... and the same for other SSIDs and groups } } That's assuming that the SSID is in the Calling-Station-SSID attribute, of course. See the debug log for details. Alan DeKok.