On 02/04/2014 05:01 PM, Matthew Newton wrote:
You mention you're doing wireless - you probably want the LDAP-Group check to be in the inner-tunnel post-auth section where the real user is known, not the default post-auth section. Matthew
Matt, I'm not sure I follow. I tried to find a good explanation of the inner tunnel. I read the section on virtual servers, but wasn't quite sure how that applied. I'm using MSCHAP / Samba winbind to do the authentication to a Wireless AP. And I was looking to also verify that the user is a member of an AD group ("Wireless Allowed") before providing an authentication success. Can you explain why you suggested to use the inner tunnel? I'd just removed that from my sites-enabled and everything seemed to be working. Thanks, Brian