Authenticate to AD but only allow certain group

Brian C. Huffman bhuffman at
Fri Feb 7 18:54:21 CET 2014

On 02/04/2014 05:01 PM, Matthew Newton wrote:
> You mention you're doing wireless - you probably want the LDAP-Group 
> check to be in the inner-tunnel post-auth section where the real user 
> is known, not the default post-auth section. Matthew 


I'm not sure I follow.  I tried to find a good explanation of the inner 
tunnel.  I read the section on virtual servers, but wasn't quite sure 
how that applied.

I'm using MSCHAP / Samba winbind to do the authentication to a Wireless 
AP.  And I was looking to also verify that the user is a member of an AD 
group ("Wireless Allowed") before providing an authentication success.

Can you explain why you suggested to use the inner tunnel?  I'd just 
removed that from my sites-enabled and everything seemed to be working.


More information about the Freeradius-Users mailing list