Trying to Authorize Users based on AD Groups and SSIDs
Misbah Hussaini
misbhauddin at gmail.com
Wed Feb 15 17:47:29 CET 2017
Dear,
I'm trying to configure PEAP Authentication with AD backend on my FR Server
which is running version 3.0.4 on Centos 7. So far, I'm able to
authenticate against AD but group membership checking is not working,
appreciate if some help can be provided.
I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that
users in specific groups can access that particular SSID. As mentioned in
man page of rlm_ldap I have configured group membership check in post-auth
by adding below configuration in default and inner-tunnel config files but
my users are getting access-reject messages. If I remove the ldap-group
check config then all users are able to authenticate and access SSID, off
course without any control.
post-auth {
if (LDAP-Group == "FR-TEST") {
noop
}
else {
reject
}
}
if group membership works then I can go ahead and add below config to test
SSID with Group membership. (this is not one yet).
post-auth {
if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") {
noop
}
else {
reject
}
}
Where am I going wrong?
Debug can be found here -> http://pastebin.com/zSptQPaa
Regards
Misbah
More information about the Freeradius-Users
mailing list