Global User Blacklist

David Aldwinckle daldwinc at
Tue Jul 31 14:26:29 CEST 2012


I figure that other people might benefit from this too, so...

I was correct in my previous message. I added ldap to the authorize section of the inner tunnel, and did the group checking in the post-auth of the default server and everything worked wonderfully. 


On 2012-07-30, at 1:28 PM, David Aldwinckle <daldwinc at> wrote:

> Thanks for your response, Alan.
> I'll give that a shot.
> Is it to correct to assume that the only additional thing I should need is to uncomment "ldap" in the authorize stanza of the inner-tunnel? I would imagine listing it after eap in the default server would have a large impact on performance.
> Dave
> On 2012-07-30, at 1:11 PM, Alan DeKok <aland at> wrote:
>> David Aldwinckle wrote:
>>> Is it possible to do LDAP group checking in post-auth of the default server even if the request is EAP?
>> Yes.
>> if (LDAP-Group == "banned") {
>> 	reject
>> }
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list