Hello everybody, I successfully got Freeradius running for WPA Enterprise with Samba Active Diretory. OS: Debian Buster FreeRADIUS Version: 3.0.17 The /etc/freeradius/3.0/mods-available/ntlm_auth looks like this: exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=HOME --username=%{mschap:User-Name} --password=%{User-Password}" } Now I would also like to perform a VLAN assignment based on groups of the user in the AD. First my question: Is this in the post-auth over LDAP possible? For this I have setup in the LDAP config (/etc/freeradius/3.0/mods-available/ldap): ldap { server = "pdc.home.uhlmann.world" port = 389 identity = "cn=radius-auth,cn=users,DC=home,DC=uhlmann,DC=world" password = << secret password >> basedn = "CN=Users,DC=home,DC=uhlmann,DC=world" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" tls { start_tls = no } group { base_dn = "CN=Users,DC=home,DC=uhlmann,DC=world" name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberOf=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberOf' } options { chase_referrals = no rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } } In /etc/freeradius/3.0/sites-enabled/default I configured the following in the post-auth section: ldap if (LDAP-Group == "wlan-gast") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 851 } } elsif (LDAP-Group == "wlan-kinder") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 999 } } else { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 999 } } Unfortunately, the assignment to the VLAN 999 always takes place, the following can be seen in the debug output: (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (8) post-auth { (8) update { (8) No attributes updated (8) } # update = noop (8) [ldap] = noop (8) if (LDAP-Group == "wlan-gast") { (8) Searching for user in group "wlan-gast" rlm_ldap (ldap): Reserved connection (2) (8) Performing unfiltered search in "", scope "sub" (8) Waiting for search result... (8) The specified DN wasn't found (8) Search returned no results rlm_ldap (ldap): Released connection (2) (8) if (LDAP-Group == "wlan-gast") -> FALSE (8) elsif (LDAP-Group == "wlan-kinder") { (8) Searching for user in group "wlan-kinder" rlm_ldap (ldap): Reserved connection (3) (8) Performing unfiltered search in "", scope "sub" (8) Waiting for search result... (8) The specified DN wasn't found (8) Search returned no results rlm_ldap (ldap): Released connection (3) (8) elsif (LDAP-Group == "wlan-kinder") -> FALSE (8) else { (8) update reply { (8) Tunnel-type = VLAN (8) Tunnel-medium-type = IEEE-802 (8) Tunnel-Private-Group-Id = 999 (8) } # update reply = noop (8) } # else = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Login OK: [testgast/<via Auth-Type = eap>] (from client unifi port 0 cli 48-BF-6B-47-56-EC) (8) Sent Access-Accept Id 156 from 192.168.127.37:1812 to 192.168.127.197:54036 length 0 (8) MS-MPPE-Recv-Key = 0xdb66ce7a4780f479ecba8643b5408656d13b0affd455c45cc0598fb495e3815f (8) MS-MPPE-Send-Key = 0x02dd275fc9cd169117139666b81da0fb40b3e280174c546b15de84688cb91d91 (8) EAP-Message = 0x03540004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "testgast" (8) Tunnel-Type = VLAN (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Private-Group-Id = "999" (8) Finished request (In the appendix again the complete debug.log) As you can see, freeradius does not seem to search correctly in LDAP. Running a mnauelles with ldapsearch (as stated here https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-avail...) comes to the following result: ldapsearch -D cn=radius-auth,cn=users,DC=home,DC=uhlmann,DC=world -w << secret password >> -h pdc.home.uhlmann.world -b 'CN=Users,DC=home,DC=uhlmann,DC=world' '(&(objectClass=user)(sAMAccountName=testgast)(memberOf=CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world))' # extended LDIF # # LDAPv3 # base <CN=Users,DC=home,DC=uhlmann,DC=world> with scope subtree # filter: (&(objectClass=user)(sAMAccountName=testgast)(memberOf=CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world)) # requesting: ALL # # testgast, Users, home.uhlmann.world dn: CN=testgast,CN=Users,DC=home,DC=uhlmann,DC=world objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testgast givenName: testgast instanceType: 4 whenCreated: 20190216205554.0Z displayName: testgast uSNCreated: 13776 name: testgast objectGUID:: bd40XvQpbkSeX5icQ6HMwQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA0HcQPtkCCXK+0rCrrgUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: testgast sAMAccountType: 805306368 userPrincipalName: testgast@home.uhlmann.world objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=home,DC=uhlmann,DC=wor ld userAccountControl: 66048 memberOf: CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world pwdLastSet: 131971360575227260 lockoutTime: 0 lastLogonTimestamp: 131971360685327730 whenChanged: 20190315150748.0Z uSNChanged: 14549 distinguishedName: CN=testgast,CN=Users,DC=home,DC=uhlmann,DC=world # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Can someone tell me if this is what I intend and possibly where my mistake lies? Thanks and Regards Christian