Correct way to achieve groups of users and confirm access to specific clients

Alan DeKok aland at
Wed Jun 22 22:31:08 CEST 2016

On Jun 22, 2016, at 3:49 AM, Bernd <bnacht at> wrote:
> I run a FreeRADIUS Ver.:2.1.1. (as it come with SLES11)

  You can upgrade.  It's not hard.

> Configured as User-Source are LDAP (eDir) and the text file (users).
> There are a lot of clients in the client file. (I assume they are called
> NAS in RADIUS?!)

  They're called both NAS and client.  It means the same thing.

> Now I want to achieve that users are in groups and these groups should
> access only specific clients.
> I know that I can setup group(s) in LDAP and restrict RADIUS to search
> for those users only which are member of this group(s)
> Q1:
> But for which words I have to search to group my text file users?

	if ((LDAP-Group == "nas1_only) && (Client-IP-Address != {

  Use the correct IP for the client, of course.

> Q2:
> Is it possible to configure more than one LDAP section to achieve that
> different LDAP groups get access to specific clients? Or what is the
> correct way?

  You need to configure as one LDAP module for each LDAP server.  You don't need one LDAP module for each group you're checking.

  Alan DeKok.

More information about the Freeradius-Users mailing list