Sorry to re-post, but I'm still banging my head against the wall with this... If anyone could help, or provide a pointer to something that (obviously) I'm missing, it would be greatly appreciated.
Hi, I've googled this to no avail (have been working on it for about 4 hours now). I'm running FreeRADIUS 1.1.0 (SuSE package) and OpenLDAP 2.3.19. I have an access point that will do captive portal, but only via RADIUS, not via LDAP natively. I already have an LDAP server running, so I just added a new groupOfNames called "WirelessUsers". Basically, *all* I want RADIUS to do is check the username and password, and assuming they are correct, either allow or deny based on whether the user is a member of "WirelessUsers". According to radtest, I have it working with LDAP, but it allows everyone with a valid username and password access, regardless of the WirelessUsers group - and I'm not seeing anything related to that group in the LDAP logs. I can't seem to find anything online for freeradius1 relating to groupOfNames, so I've just been trying random things that I found online (for raddb/users) hoping one would work. radiusd.conf: ldap { server = "127.0.0.1" basedn = "dc=example,dc=com" filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = "memberof" timeout = 4 timelimit = 3 net_timeout = 1 } users: #DEFAULT Auth-Type == LDAP # Fall-Through = Yes DEFAULT LDAP-Group == "WirelessUsers" Auth-Type := Reject #DEFAULT Ldap-Group != "WirelessUsers", Auth-Type := Reject # Reply-Message = "Sorry, your account has not yet been enabled for wireless access." #DEFAULT Huntgroup-Name == "wirelessusers", Ldap-Group=="WirelessUsers", Auth-Type = LDAP #DEFAULT Auth-Type := Reject #DEFAULT Ldap-Group == "WirelessUsers" # Fall-Through = no DEFAULT Ldap-Group == WirelessUsers Fall-Through = no DEFAULT Auth-Type := Reject I've tried all of the commented out stuff also, and none of it worked. All I want is (assuming username & password are correct) allow anyone who is in "WirelessUsers" group, deny everyone else. I'm sure this is horribly simple, but I just can't seem to figure it out from the docs or from extensive googling. Thanks for any help, Jason Antman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html