Authenticate to AD but only allow certain group

Brian C. Huffman bhuffman at
Tue Feb 4 21:30:34 CET 2014

On 02/03/2014 04:47 PM, Matt Zagrabelny wrote:
> On Mon, Feb 3, 2014 at 3:33 PM, Brian C. Huffman
> <bhuffman at> wrote:
>> Which file and section should this go in?
> I use FR from the Debian packages, so I am not exactly sure where your
> installed configs are. Here is where I would put it:
> /etc/freeradius/sites-available/default
> in the post-auth section:
> post-auth {
>      if ((Packet-Src-IP == && !(LDAP-Group == "allowed-for-wireless)) {
>          reject
>      }
> .
That works, but I still need to instantiate the ldap module.  If I do it 
in post-auth, I get this error:
/etc/raddb/sites-enabled/default[490]: "LDAP" modules aren't allowed in 
'post-auth' sections -- they have no such method.

But I don't want to use ldap for authentication since I'm using mschap.  
Where should I do the initial call for ldap?


More information about the Freeradius-Users mailing list