Allowing Access based on Group Membership
jlee at pbu.edu
Thu Feb 16 18:05:29 CET 2006
On Wed, February 15, 2006 1:15 pm, Alan DeKok wrote:
> "Jay Lee" <jlee at pbu.edu> wrote:
>> My last task is to allow Wireless authentication only to
>> members of a given LDAP Group.
> ... i.e. to reject wireless for everyone else.
So the glass is half empty? :-)
>> If I empty out /etc/raddb/users completely, authentication works. If I
>> put the following in users:
>> DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept
> Then people in the wireless group don't have their passwords checked.
Yeah, guess that's not what I want, I thought the group check was taking
place after the password check.
>> DEFAULT Auth-Type := Reject
> And everyone else gets rejected.
>> However, the wireless client never quite seems to finish associating.
>> ideas what I'm doing wrong here? What should the users file look like
>> to allow anyone who is a member of the Wireless LDAP group and deny
>> everyone else?
> DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject
> That rejects everyone who isn't in wireless. As for the wireless
> people, their passwords should be checked using the normal process. You
> shouldn't have to do anything special there.
That works perfectly, thanks!
Network / Systems Administrator
Information Technology Dept.
Philadelphia Biblical University
More information about the Freeradius-Users