Authenticate to AD but only allow certain group

Alan DeKok aland at
Mon Feb 3 22:18:44 CET 2014

Brian C. Huffman wrote:
> I would prefer to have this happen only when requests come from a
> specific client (wireless access point).  In this case the idea is to
> have users only be able to get wireless access when they're in a
> specific AD group.
> How can I do this in freeradius?

  If they're using wireless, and they're NOT in the group, reject.

  Use the source IP for wireless access.  Use LDAP-Group for the group

	if ((Packet-Src-IP == &&
            !(LDAP-Group == "allowed-for-wireless)) {

  Alan DeKok.

More information about the Freeradius-Users mailing list