After a bit of effort I have managed to get Wireless with WPA encryption working with FreeRadius and an eDirectory LDAP Backend (using Universal password). My last task is to allow Wireless authentication only to members of a given LDAP Group. I seem to be having some issues though. Here is my ldap config in /etc/raddb/radiusd.conf:
ldap { server = "ldap.pbu.edu" identity = "cn=admin,o=PBU" password = "password" basedn = "o=PBU" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = yes tls_cacertfile = /etc/raddb/certs/rootder.b64 access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword edir_account_policy_check=yes groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } If I empty out /etc/raddb/users completely, authentication works. If I put the following in users: DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept Fall-Through = No DEFAULT Auth-Type := Reject and start freeradius with "radiusd -X -A" I get: rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=PBU' radius_xlat: '(uid=jlee)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (uid=jlee) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectCla ss=GroupOfUniqueNames)(uniquemember=cn=jlee,o=PBU)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (&(cn=Wireless)(|(&(objectClas s=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectClass=GroupOfUniqueNames)(uniquem ember=cn=jlee,o=PBU)))) rlm_ldap::ldap_groupcmp: User found in group Wireless rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jlee radius_xlat: '(uid=jlee)' radius_xlat: 'o=PBU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (uid=jlee) rlm_ldap: checking if remote access for jlee is allowed by cn rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jlee authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: ldap_release_conn: Release Id: 0 modcall[post-auth]: module "ldap" returns ok for request 1 modcall: group post-auth returns ok for request 1 Sending Access-Accept of id 194 to 10.1.1.44:32769 Finished request 1 However, the wireless client never quite seems to finish associating. Any ideas what I'm doing wrong here? What should the users file look like to allow anyone who is a member of the Wireless LDAP group and deny everyone else? Jay Lee -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html