Hello, I have implemented in my centos7 freeradius 3 so far succeeded, authenticate users through Active Directory using ntlm_auth however I'm having trouble implementing rules at the level of user groups to determine which user can authenticate each SSID i tryed implement what it says on the link bellow, but I did not succeed. https://lists.freeradius.org/pipermail/freeradius-users/2014-August/073474.h... if (NAS-Port-Type == Wireless-802.11) { # If User-Name doesn't contain our domain then add it. # It's needed for the Group check to use the correct # username. if (User-Name !~ /DOMAIN\\\\/i) { update request { User-Name := "DOMAIN\\\\%{User-Name}" } } if (Called-Station-Id =~ /.*:SSID-A/i) { # Can't do 'if (Group != "xxxxx")' because != # operator doesn't work for group checking. Careful # with the number of backslashes. if (!(Group == "DOMAIN\\\\group A") ) { update reply { Reply-Message = "User not allowed to join this wireless network" } reject } } elsif (Called-Station-Id =~ /.*:SSID-B/i) { if (!(Group == "DOMAIN\\\\group B") ) { update reply { Reply-Message = "User not allowed to join this wireless network" } reject } } }
On Sep 21, 2016, at 10:38 AM, Anderson Gomes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have implemented in my centos7 freeradius 3 so far succeeded, authenticate users through Active Directory using ntlm_auth however I'm having trouble implementing rules at the level of user groups to determine which user can authenticate each SSID i tryed implement what it says on the link bellow, but I did not succeed.
See the FAQ for "it doesn't work".
if (!(Group == "DOMAIN\\\\group A") ) {
That checks for Unix groups. i.e. groups in /etc/groups. Is this what you want? If not, use LDAP groups. See http://wiki.freeradius.org/ for documentation on using LDAP groups. Alan DeKok.
participants (2)
-
Alan DeKok -
Anderson Gomes