Trying to Authorize Users based on AD Groups and SSIDs

Alan DeKok aland at
Wed Feb 15 18:11:33 CET 2017

On Feb 15, 2017, at 11:47 AM, Misbah Hussaini <misbhauddin at> wrote:
> I'm trying to configure PEAP Authentication with AD backend on my FR Server
> which is running version 3.0.4 on Centos 7. So far, I'm able to
> authenticate against AD but group membership checking is not working,
> appreciate if some help can be provided.

  Group membership checking *should* be just LDAP group checking.  And that's well documented in the wiki.

> I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that
> users in specific groups can access that particular SSID. As mentioned in
> man page of rlm_ldap I have configured group membership check in post-auth
> by adding below configuration in default and inner-tunnel config files but
> my users are getting access-reject messages. If I remove the ldap-group
> check config then all users are able to authenticate and access SSID, off
> course without any control.

  You need to check the inner identity against the group, which means checking it in the inner tunnel.

> post-auth {
> if (LDAP-Group == "FR-TEST") {
>        noop
>        }
>        else {
>        reject
>        }
> }

  That's overly complex.  Why not just "if group, reject"?   Why the extra "noop" ?

  In the "inner-tunnel" virtual server, do:

authorize {

	if (!State) {
		if ((Calling-Station-SSID == "SSID02362") && (LDAP-Group != "SSID02362")) {

		... and the same for other SSIDs and groups

  That's assuming that the SSID is in the Calling-Station-SSID attribute, of course.  See the debug log for details.

  Alan DeKok.

More information about the Freeradius-Users mailing list