Hi all, i'm really brand new on freeradius. i'm using freeradius 3.0.4 with ldap, ldap autethication work for me fine with "o=organitation" but not with group = cn, maybe the ldap configuration is not the standart I'm following these thread: lists.freeradius.org/pipermail/freeradius-users/2016-December/085971.html For me: in /mods-available/ldap ldap { server = "x.x.x.x" base_dn = "o=organization,cn=telecom"} user { base_dn = "o=organization,cn=telecom" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"} group { base_dn = "o=organization,cn=telecom" filter = '(cn=telecom)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } on radius -X : Received Access-Request Id 125 from y.y.y.y:42420 to x.x.x.x:1812 length 78 User-Name = 'usertest' User-Password = '*****' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) Received Access-Request packet from host y.y.y.y port 42420, id=125, length=78(2) User-Name = 'usertest'(2) User-Password = '*****'(2) NAS-IP-Address = 127.0.1.1(2) NAS-Port = 0(2) Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) # Executing section authorize from file /etc/raddb/sites-enabled/default(2) authorize {(2) eap : No EAP-Message, not doing EAP(2) [eap] = nooprlm_ldap (ldap): Reserved connection (4)(2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(2) ldap : --> (uid=usertest)(2) ldap : EXPAND o=organitation,cn=telecom(2) ldap : --> o=organitation,cn=telecom(2) ldap : Performing search in 'o=organitation,cn=telecom' with filter '(uid=usertest)', scope 'sub'(2) ldap : Waiting for search result...(2) ERROR: ldap : Failed performing search: The specified DN wasn't found, check base_dn and identityrlm_ldap (ldap): Released connection (4)(2) [ldap] = fail(2) } # authorize = fail(2) Invalid user (ldap: Failed performing search: The specified DN wasn't found, check base_dn and identity): [usertest/******] (from client Renaju port 0)(2) Using Post-Auth-Type Reject(2) # Executing group from file /etc/raddb/sites-enabled/default(2) Post-Auth-Type REJECT {(2) attr_filter.access_reject : EXPAND %{User-Name}(2) attr_filter.access_reject : --> usertest(2) attr_filter.access_reject : Matched entry DEFAULT at line 11(2) [attr_filter.access_reject] = updated(2) } # Post-Auth-Type REJECT = updated(2) Delaying response for 1 seconds ------- # in the "default" server authorize { ... eap { ok = return updated = return } ldap group_authorization # In the "inner-tunnel" server: authorize { ... eap { ok = return } ldap group_authorization I create "policy.d/group_authorization" the file not exist # in policy.d/group_authorization: group_authorization { if (&Huntgroup-Name == "telecom") { if (&LDAP-Group[*] == "o=organization,cn=telecom") { ok } else { update reply { &Reply-Message := "Not authorized for telecom" } reject } } elsif (&Huntgroup-Name == "telecom") { reject }} Thanks!