Simon, Did you enable the 'ldap' entry in the authorize section(s) of your default and inner-tunnel servers?
It is commented out by default. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Simon Grierson Sent: 01 October 2013 15:08 To: freeradius-users@lists.freeradius.org Subject: Active Directory Group Membership filtering query Hi there, I'm new to freeradius, and am setting it up purely in a test environment before deploying live. We're using Freeradius 2.2.0 and Ubuntu server 12.04 .3 lts with Active Directory and Fortinet Fortigate based APs We're trying to achieve the following: Authentication via Active Directory, but with access granted depending on AD Group membership. EG: User A Is allowed Wifi access, as they are in Wifi-Users group User B is not as they do not have membership of this group. So we have the Freeradius server up and running, and it can authenticate against AD fine, but I cant figure out the group filtering portion of the setup. The documentation points to configuring the modules/ldap file to point to our LDAP server (I.E. our AD server0, and to configure the /users file with the following line DEFAULT Ldap-Group == "CN=sec-eduroam-users,OU=Access,OU=SecurityGroups,OU=Groups,DC=testres,DC=org" DEFAULT Auth-Type = Reject When I run freeradius in debug mode, we get all the usual output but no ldap modules mentioned It dues include modules/ldap but little else. FYI I have built this 3 times, 1. With 13.04 Ubuntu Server and Freeradius 2.2.0 from source 2. With 12.04 lts with FR 2.2.1 from source 3. With 12.04 lts with FR from the Launchpad based package ppa:freeradius/stable which is from 2.2.0 I can authenticate against LDAP and pull down group information using command line queries, so I know that LDAP is installed correctly and working in the linux build. What I cant get is LDAP to work through free radius. Am I doing something wrong, is there a better way to do this? Any help appreciated! NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you. Cancer Research UK Registered charity in England and Wales (1089464), Scotland (SC041666) and the Isle of Man (1103) A company limited by guarantee. Registered company in England and Wales (4325234) and the Isle of Man (5713F). Registered Office Address: Angel Building, 407 St John Street, London EC1V 4AD. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
