Freeradius LDAP and Primary Group Issues

Kevin Virk Kevin.Virk at
Fri Jun 7 08:01:51 CEST 2019

I have utilized this mailing list to setup Freeradius and everyone has been a great help especially Alan. Thank you very much.

Background: I am running Freeradius with EAP-TLS where the cert has a computername attribute that I pull and used that in a LDAP search for group membership of that computer to assign the computer into a VLAN. So this is working but only for users in the active directory group Domain Users. I test my ldap queries on ldp.exe on windows 10 and what I have discovered is the query I am using does not include any computers that are not in domain users as their primary group.

This is the LDAP Query I am using: (&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=RadiusGroup,OU=Groups,OU=Departments,DC=Company,DC=local))

Some background on this query is that the top level radius group contains other security groups which contain the actual computers which is why there is the need for .1941 memberOF attribute which will return double nested group memberships.

My question for the mailing list is, has anyone dealt with this type of issue and if so how have you solved it?

A quick summary if none of this makes sense is: Freeradius is working however LDAP doesn't return computers that are not in the domain users primary group which leads to computers that are not in domain users to not be authenticated even though they are in the security group.

Thank you very much for your time.

More information about the Freeradius-Users mailing list