Microsoft AD group check

Arran Cudbard-Bell a.cudbardb at
Sun Jan 12 19:22:20 CET 2020

> On Jan 12, 2020, at 12:59 PM, Alan DeKok <aland at> wrote:
>> On Jan 12, 2020, at 12:38 PM, Olivier Mahieu <o_mahieu at> wrote:
>> Does this also work with PEAP-MSCHAPv2?
>  VLAN assignment has nothing to do with PAP / CHAP / PEAP / etc.  So yes, it works.
>> Meaning in /sites-available/default, Auth-Type LDAP is disabled.
>  You can't use that for EAP.

Unless its EAP-TTLS-PAP or EAP-TTLS-EAP-GTC or EAP-PEAP-GTC and you're using it in the inner tunnel.

>> Looking for a solution for dynamic VLAN assignment with PEAP/MSCHAPv2.
>  It works.    Just try it.
>  For PEAP, put the VLAN assignment into the "post-auth" section.  There's no reason to have it anywhere else.

Agreed. Though you also need to make sure you've enabled tunnel reply attribute in the EAP module config.

A few other things.

Although there may be 800 groups it's very unlikely a user would be a member of all of them and LDAP would be returning a small subset.

Group checking with an LDAP query can in itself be inefficient if you're doing many group checks, as each check involves a roundtrip to the LDAP server.  What it's good for is checking a minimal number of group memberships which involve wildcard filter matches.

Depending on how many groups are returned for a user, and whether resolving group information requires additional lookups, it may be more efficient to use cachable_name or cacheable_dn to retrieve the complete list.  You'll then be able to use pattern matching on that list as specified in the answer to the stack overflow question you posted.

Please don't cross post when you've already received an answer somewhere else, it increases the net effort expended by the community to answer your question.


More information about the Freeradius-Users mailing list