Authenticate to AD but only allow certain group

Matthew Newton mcn4 at
Tue Feb 4 23:01:43 CET 2014

On Tue, Feb 04, 2014 at 03:30:34PM -0500, Brian C. Huffman wrote:
> On 02/03/2014 04:47 PM, Matt Zagrabelny wrote:
> >On Mon, Feb 3, 2014 at 3:33 PM, Brian C. Huffman
> ><bhuffman at> wrote:
> >>Which file and section should this go in?
> >I use FR from the Debian packages, so I am not exactly sure where your
> >installed configs are. Here is where I would put it:
> >
> >/etc/freeradius/sites-available/default
> >
> >in the post-auth section:
> >
> >post-auth {
> >     if ((Packet-Src-IP == && !(LDAP-Group == "allowed-for-wireless)) {
> >         reject
> >     }
> >
> >.
> That works, but I still need to instantiate the ldap module.  If I
> do it in post-auth, I get this error:
> /etc/raddb/sites-enabled/default[490]: "LDAP" modules aren't allowed
> in 'post-auth' sections -- they have no such method.
> But I don't want to use ldap for authentication since I'm using
> mschap.  Where should I do the initial call for ldap?

If you're purely using the LDAP-Group functionality, you should be
able to list "ldap" in the instantiate section of radiusd.conf.

You mention you're doing wireless - you probably want the
LDAP-Group check to be in the inner-tunnel post-auth section where
the real user is known, not the default post-auth section.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list