How to restrict authorization to members of FreeIPA group

Alan DeKok aland at
Tue Jul 9 15:05:06 CEST 2019

On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users at> wrote:
> We have a Cisco for VPN and we have FreeIPA for the user administration.
> What I want is to only allow users in a FreeIPA group to connect to the VPN.
> Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP
> server.

  That's good.

> So far I am able to connect the radius server to our FreeIPA server. Using
> the radtest command I can see that authentication works. (I'm not sure
> about authorization, though.)

  RADIUS uses one packet for authentication and authorization.

> The Cisco is configured and FreeIPA users can connect to the VPN. However, I
> haven't figured out how to restrict VPN to only users from a specific group.
> Which configuration file do I need to adapt? Where should I be looking?

  You need to check LDAP groups.  See sites-available/default

  In the "post-auth" section, add:

	if (LDAP-Group == "groupname") {
		update reply {
			Tunnel-Type := VLAN
			Tunnel-Medium-Type := IEEE-802
			Tunnel-Private-Group-ID := "vlan name"

  Alan DeKok.

More information about the Freeradius-Users mailing list