Checking ldap-group in post-auth instead of users file ?

Fred MAISON at
Tue Jun 1 12:41:38 CEST 2010

Hello all,

I encounter difficulties to check for a radiusgroupname via LDAP by not
using file /etc/raddb/users, as this seems to be difficult to avoid ldap
checks for anonymous identities if default config is modified.
I must service eap-peap and eap-ttls with mschapv2.

How can i make checks on ldap radiusgroupnale without using the user
file ?

I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
              if ( "%{control:Ldap-Group}" == "wireless" )  {
                } else {

I trie to replace this in users :
# for proxy.conf to work :
DEFAULT Realm == ""
	reply-Message += "real is %{Realm}" 

DEFAULT Auth-Type == EAP, EAP-Type == Cisco-LEAP, Ldap-Group == wireless
	reply-Message = "Cisco-LEAP match in users : EAP-Type%{EAP-Type}"
DEFAULT Auth-Type == EAP, EAP-Type == Generic-Token-Card, Ldap-Group ==
	reply-Message = "match in users : EAP-Type:%{EAP-Type}"
DEFAULT FreeRADIUS-Proxied-To ==, Ldap-Group == wireless
	reply-Message += "in %{Virtual-Server}, proxy %{FreeRADIUS-proxied-To},
DEFAULT Auth-Type == EAP
	reply-Message += "in users : EAP-Type:%{EAP-Type}"
DEFAULT Auth-Type := Reject
	Reply-Message += "Please call the helpdesk."

More information about the Freeradius-Users mailing list