On Tue, Feb 04, 2014 at 03:30:34PM -0500, Brian C. Huffman wrote:
On 02/03/2014 04:47 PM, Matt Zagrabelny wrote:
On Mon, Feb 3, 2014 at 3:33 PM, Brian C. Huffman <bhuffman@etinternational.com> wrote:
Which file and section should this go in? I use FR from the Debian packages, so I am not exactly sure where your installed configs are. Here is where I would put it:
/etc/freeradius/sites-available/default
in the post-auth section:
post-auth { if ((Packet-Src-IP == 1.2.3.4) && !(LDAP-Group == "allowed-for-wireless)) { reject }
. That works, but I still need to instantiate the ldap module. If I do it in post-auth, I get this error: /etc/raddb/sites-enabled/default[490]: "LDAP" modules aren't allowed in 'post-auth' sections -- they have no such method.
But I don't want to use ldap for authentication since I'm using mschap. Where should I do the initial call for ldap?
If you're purely using the LDAP-Group functionality, you should be able to list "ldap" in the instantiate section of radiusd.conf. You mention you're doing wireless - you probably want the LDAP-Group check to be in the inner-tunnel post-auth section where the real user is known, not the default post-auth section. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>