How to allow group login on some devices?

Alan DeKok aland at
Thu Jul 22 08:35:06 CEST 2010

Martin Whinnery wrote:
> Now, I'd like to set up our switches to use radius to allow our
> technicians to login. And they are all members of an LDAP group. Let's
> call it "cn=techies,ou=groups,dc=example,dc=org". I only want this to be
> the case for some client devices, namely our switches.
> Can anyone point me towards the documentation I should have read?

  The LDAP-Group attribute will check LDAP group membership.

  You can put switches (or NASes) into groups via the Huntgroup.  See

  Then... combine them.  In the "users" file:

DEFAULT	LDAP-Group == "techies", Huntgroup-Name != "some-switches",
Auth-Type := Reject

  (all on one line)

  Alan DeKok.

More information about the Freeradius-Users mailing list