Freeradius LDAP and Primary Group Issues

Alan DeKok aland at
Sat Jun 8 09:29:16 CEST 2019

On Jun 7, 2019, at 2:01 AM, Kevin Virk <Kevin.Virk at> wrote:
> I have utilized this mailing list to setup Freeradius and everyone has been a great help especially Alan. Thank you very much.

  You're welcome.  Despite rumours to the contrary, we do try to help.

> Background: I am running Freeradius with EAP-TLS where the cert has a computername attribute that I pull and used that in a LDAP search for group membership of that computer to assign the computer into a VLAN. So this is working but only for users in the active directory group Domain Users. I test my ldap queries on ldp.exe on windows 10 and what I have discovered is the query I am using does not include any computers that are not in domain users as their primary group.
> This is the LDAP Query I am using: (&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=RadiusGroup,OU=Groups,OU=Departments,DC=Company,DC=local))
> Some background on this query is that the top level radius group contains other security groups which contain the actual computers which is why there is the need for .1941 memberOF attribute which will return double nested group memberships.


> My question for the mailing list is, has anyone dealt with this type of issue and if so how have you solved it?
> A quick summary if none of this makes sense is: Freeradius is working however LDAP doesn't return computers that are not in the domain users primary group which leads to computers that are not in domain users to not be authenticated even though they are in the security group.

  That's a triple negative, which makes it a bit hard to parse.

  This is really an issue with LDAP.  i.e. What LDAP query will magically return the information you want?

  The answer is to look at the AD documentation.  Once you've figure out the proper LDAP query, then you can configure FreeRADIUS to use that query.

  Alan DeKok.

More information about the Freeradius-Users mailing list