Freeradius Samba4 group restriction

Arran Cudbard-Bell a.cudbardb at
Tue Feb 7 15:17:01 CET 2017

> On 7 Feb 2017, at 14:02, Brian Candler <B.Candler at> wrote:
> On 07/02/2017 11:19, Matthew Newton wrote:
>> On Tue, Feb 07, 2017 at 08:50:02AM +0100, Dávid Erős wrote:
>>> Thank you for the link ,but I'd like to avoid using Ldap. Is there another
>>> way to get this done by winbind and rlm_unix?
>> rlm_ldap is still the best way at present.
>> There is new experimental code in the unsupported v3.1.x branch which
>> can check groups directly with winbind. If you want to give it a
>> spin, look at rlm_winbind. Make sure you only check groups in
>> post-auth after a successful authentication.
> Aside: if you're doing any sort of policy checking in post-auth, what's the official / supported way to change an Access-Accept into an Access-Reject ?
> Is it simply to invoke 'reject' from the 'always' module?

That really confuses supplicants in the case of PEAP.  It’ll work in that dot1x auth will fail, but it’s not a great way to do it, but it’s probably the best you can do for v3.0.x.

In v4.0.x the plan is to expose the MSCHAPv2 states as sections within an MSCHAPv2 virtual server.  That means you can make policy decisions during MSCHAPv2 processing, and send failures all the way up through MSCHAPv2->PEAP->EAP->RADIUS stack.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list