Trying to Authorize Users based on AD Groups and SSIDs
Misbah Hussaini
misbhauddin at gmail.com
Thu Feb 16 08:12:46 CET 2017
Hi Alan,
Thanks for the reply, I have configured below code in top section of
authorize in inner tunnel config but all users are getting accessed to SSID
though debug shows a ldap check happening. You can check the debug from
pastebin here -> http://pastebin.com/1BXxxvtC
if (!State) {
if ((Called-Station-SSID == "SSID02362") && (LDAP-Group !=
"FR-TEST")) {
reject
}
}
The rewrite attribute for getting SSID is Called-Station-SSID and not
Calling-Station-SSID as mentioned in canonicalization file.
Regards
Misbah
On 15 February 2017 at 20:47, Misbah Hussaini <misbhauddin at gmail.com> wrote:
> Dear,
>
> I'm trying to configure PEAP Authentication with AD backend on my FR
> Server which is running version 3.0.4 on Centos 7. So far, I'm able to
> authenticate against AD but group membership checking is not working,
> appreciate if some help can be provided.
>
> I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that
> users in specific groups can access that particular SSID. As mentioned in
> man page of rlm_ldap I have configured group membership check in post-auth
> by adding below configuration in default and inner-tunnel config files but
> my users are getting access-reject messages. If I remove the ldap-group
> check config then all users are able to authenticate and access SSID, off
> course without any control.
>
> post-auth {
> if (LDAP-Group == "FR-TEST") {
> noop
> }
> else {
> reject
> }
> }
>
> if group membership works then I can go ahead and add below config to test
> SSID with Group membership. (this is not one yet).
>
> post-auth {
> if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") {
> noop
> }
> else {
> reject
> }
> }
>
> Where am I going wrong?
>
> Debug can be found here -> http://pastebin.com/zSptQPaa
>
>
> Regards
> Misbah
>
>
>
More information about the Freeradius-Users
mailing list