AD Authentication Permissions

Alan DeKok aland at
Sat Jan 5 01:44:10 CET 2013

Tyler Brady wrote:
> I am setting up a freeRADIUS (2.1.10) server for my network. I have
> everything working how I want it to except for some of the permission
> settings. For example, when users log in to Motorola radios in my
> network via freeRADIUS they only receive read-only permissions. Or when
> a Cisco user logs in I would like for them to receive automatic
> #privilege level 15.  I need for users to receive admin privileges. How
> do I accomplish this?

  Use LDAP groups.

> NOTE: I’m authenticating against active directory. So where can I
> configure things like “/cisco/-/avpair/ = /shell/:/priv/-/lvl=15, or
> Motorola-WIBB-Auth-Role = system-admin-role?”  I// understand how to
> configure permissions when you have individual users configured in
> users.conf. file. How do you configure permissions when you don’t have
> any local users configured, but are using Active Directory?/


> /Right now I use only one Active Directory group “//Radius-Users//” for
> authentication. If a user is part of the //Radius-Users// group on the
> AD server, then they get access. This is fine for now, but in the future
> I would like to set up more granular access control. I have seen a lot
> of talk about LDAP groups, but have not been able to find decent
> information on it. Ideally I would like for there to be several
> different user groups set up with different permissions for each. How do
> you accomplish this with freeRADIUS + Active Directory?/

  Set up groups in LDAP.  See the LDAP / AD documentation.

  Then, in FreeRADIUS, check them:

#-- users file
DEFAULT	LDAP-Group == "foo", ...


  Alan DeKok.

More information about the Freeradius-Users mailing list