WPA Enterprise with Radius assigned VLAN from LDAP (Samba Active Directory)

Alan DeKok aland at deployingradius.com
Sun Mar 17 15:13:38 CET 2019

On Mar 17, 2019, at 10:06 AM, Christian Uhlmann <christian at uhlmann.it> wrote:
> I successfully got Freeradius running for WPA Enterprise with Samba Active Diretory.

  That's good.

> Now I would also like to perform a VLAN assignment based on groups of the user in the AD.
> First my question: Is this in the post-auth over LDAP possible?


> For this I have setup in the LDAP config (/etc/freeradius/3.0/mods-available/ldap):
> ...
>                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberOf=%{%{Stripped-User-Name}:-%{User-Name}}))"

  That's may be wrong.  It should likely be:

		membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

  The default config in 3.0.18, which has more documentation on AD interaction.  The above string is likely in the default config for 3.0.17 , too.

> Can someone tell me if this is what I intend and possibly where my mistake lies?

  If you configure it as documented, it should work.  If the "ldapsearch" works, then FreeRADIUS should work.

  If it doesn't work, I'd blame AD. 

  Most LDAP servers don't have these problems.  Only AD.  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list