Allowing Access based on Group Membership

Jay Lee jlee at
Thu Feb 16 18:05:29 CET 2006

On Wed, February 15, 2006 1:15 pm, Alan DeKok wrote:
> "Jay Lee" <jlee at> wrote:
>> My last task is to allow Wireless authentication only to
>> members of a given LDAP Group.
> ... i.e. to reject wireless for everyone else.

So the glass is half empty?  :-)

>> If I empty out /etc/raddb/users completely, authentication works.  If I
>>  put the following in users:
>> DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept
> Then people in the wireless group don't have their passwords checked.

Yeah, guess that's not what I want, I thought the group check was taking
place after the password check.

>> DEFAULT Auth-Type := Reject
> And everyone else gets rejected.
>> However, the wireless client never quite seems to finish associating.
>> Any
>> ideas what I'm doing wrong here?  What should the users file look like
>> to allow anyone who is a member of the Wireless LDAP group and deny
>> everyone else?
> DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject

> That rejects everyone who isn't in wireless.  As for the wireless
> people, their passwords should be checked using the normal process. You
> shouldn't have to do anything special there.

That works perfectly, thanks!

Jay Lee
Network / Systems Administrator
Information Technology Dept.
Philadelphia Biblical University

More information about the Freeradius-Users mailing list