Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Alan DeKok aland at
Mon Aug 22 11:19:45 CEST 2016

On Aug 22, 2016, at 8:06 AM, Matthew Pulis <mpulis at> wrote:
> I am still far from any result. After  spending another weekend in, I would
> truly appreciate any further guidance. Thanks for your patience and help.

  My $0.02 is that you've been trying a lot of things, and haven't made progress.  The solution is simple: do less.

  Start with the default configuration.  It works.

  Configure the LDAP module as per your specs, and nothing else.

  Ensure that the server starts, and connects to LDAP.

  Update raddb/sites-available/default, the "authorize" section, to add:

	if (Ldap-Group == "SeminaryAdmin") {

  And then run the server in debugging mode.  Send it requests via radclient.

  You don't really care what the response from the server is.  You *do* care to see what happens when that LDAP-Group check is done.

  Read the output to see where it's searching in LDAP.  Ensure that it's searching in the right place.

  The larger concern is that LDAP module is designed to work with a relatively standard LDAP schema.  The more you vary the schema, the harder it is to get it to work.  The on-line docs and examples will help you less, because they also expect  standard schema.

  With a standard schema, doing LDAP group checks is a matter of about 5 minutes work.  Which leads me to conclude that either your schema is overly complex, or there's something very simple that's missing.

  Alan DeKok.

More information about the Freeradius-Users mailing list