Allowing Access based on Group Membership

Alan DeKok aland at
Wed Feb 15 19:15:20 CET 2006

"Jay Lee" <jlee at> wrote:
> My last task is to allow Wireless authentication only to
> members of a given LDAP Group.

  ... i.e. to reject wireless for everyone else.

> If I empty out /etc/raddb/users completely, authentication works.  If I
> put the following in users:
> DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept

  Then people in the wireless group don't have their passwords checked.

> DEFAULT Auth-Type := Reject

  And everyone else gets rejected.

> However, the wireless client never quite seems to finish associating.  Any
> ideas what I'm doing wrong here?  What should the users file look like to
> allow anyone who is a member of the Wireless LDAP group and deny everyone
> else?

DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject

  That rejects everyone who isn't in wireless.  As for the wireless
people, their passwords should be checked using the normal process.
You shouldn't have to do anything special there.

  Alan DeKok.

More information about the Freeradius-Users mailing list