Hi guys, I am having problems with configuring Radius authentication limiting users to group in Active directory. Here is configuration of LDAP: ldap ldap1 { server = "Server" port = 389 identity = DOMAIN\user password = "password" basedn = "ou=OU,dc=domain,dc=dc,dc=dc" filter = "(sAMAccountName=%{User-Name})" groupmembership_filter = "(member=%{control:Ldap-UserDn})" groupmembership_attribute = "memberOf" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 user { filter = "(sAMAccountName=%{User-Name})" scope = "sub" base_dn = "ou=OU,dc=domain,dc=dc,dc=dc" access_positive = yes rebind = yes chase_referrals=yes } group { base_dn = "ou=OU,dc=domain,dc=dc,dc=dc" filter = "(sAMAccountName=%{User-Name})" scope = 'sub' membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } tls { start_tls = no ca_file = "/etc/openldap/certs/ldap_certs.pem" require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap keepalive { idle = 60 probes = 3 interval = 3 } } Policy: check_ldap_group_vpn { if (&ldap1-LDAP-Group[*] == "CN=group,OU=Groups,OU=OU,OU=OU,DC=DOMAIN,DC=DC,DC=DC") { ok } else { reject } } In sites-enabled for radius, I have specify this: authorize { suffix guard_vpn_file Autz-Type LDAPS-VPN { redundant { ldap1 ldap2 } check_ldap_group_vpn expiration } } Authentication is not working. Here are logs: rlm_ldap (ldap1): Reserved connection (0) (392) ldap1: EXPAND (sAMAccountName=%{User-Name}) (392) ldap1: --> (sAMAccountName=user) (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub" (392) ldap1: Waiting for search result... (392) ldap1: User object found at DN "..." rlm_ldap (ldap1): Released connection (0) (392) [ldap1] = ok (392) } # redundant = ok (392) policy check_ldap_group_vpn { (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" rlm_ldap (ldap1): Reserved connection (0) (392) Using user DN from request "CN=user" rlm_ldap (ldap1): Released connection (0) (392) User is not a member of "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE (392) elsif (&ldap2-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" rlm_ldap (ldap2): Reserved connection (0) (392) Using user DN from request "CN=user" rlm_ldap (ldap2): Released connection (0) (392) User is not a member of "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" (392) elsif (&ldap2-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE (392) else { (392) [reject] = reject (392) } # else = reject (392) } # policy check_ldap_group_vpn = reject (392) } # Autz-Type LDAPS-VPN = reject User is member of group. Same configuration we are having for other domain and its working. Thank you for any advise! Best, Erik