Active directory integration and grant access base on AD group membership
Alan DeKok
aland at deployingradius.com
Tue Feb 14 18:03:38 CET 2017
On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster at gmail.com> wrote:
>
> Thanx Matthew,
> I already had a look at that url but look like it doesn't work.
It works if you follow the documentation.
> must be
> something I am not doing right .. but unsure what ..
>
> I have create a huntgroup which look like this ..
>
> wireless NAS-IP-Address == 10.1.0.81
>
> and my users file only has the following line in it ..
>
> DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
>
> So my understand is that users that aren't member of the wireless-users
> group shouldn't be granted access to the wireless network/device. But that
> isn't what happenning .. everyone is granted access
That's not how the "users" file works. Please read the documentation to see how it works.
That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match. It doesn't *do* anything if they match, or if they don't match.
You should write your policies in "unlang". It's clearer:
authorize {
...
# check only the first packet of EAP, and all non-EAP
if (!&EAP-Message || !State) {
if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) {
reject
}
}
It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works.
Alan DeKok.
More information about the Freeradius-Users
mailing list