How can I properly deny certain users or groups from being able to dial in and establish PPP sessions?
For groups:
DEFAULT Ldap-Group == "mygroup", Auth-Type := Reject
As for users you can just use an existing attribute (or add a new one) by using the access_attr configuration directive.
Or you could just use an existing attribute in the ldap filter, to filter out any users you don't want to allow access.
and the portion of my radius.conf that I think is relevant - modules { pam { # pam_auth = radiusd pam_auth = system-auth } ldap { access_group = "cn=DialupUsers,ou=DialUsers,o=uvi.edu"
access_group is *heavily* deprecated. Don't use it. One of the reasons you should upgrade.
Do I do this in the users file or the .conf file?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
