Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRadius, filter user with groups

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ewok2
      last edited by

      Hello

      I am trying to configure a wifi AP => freeRadius link with an openldap.
      It works with a user but I would like that the user is accepted only if he belong to a specific ldap group call "wifi".

      I try to configure the "Group Membership Options - Server 1" part without success.

      On the openldap side if I try this request :

      ldapsearch -x  -D "cn=admin,dc=mydomain,dc=net" -W -b "dc=mydomain,dc=net" '(&(objectClass=posixGroup)(cn=wifi))'

      I get an answer that seem's Ok

      # wifi, groups, mydomain.net
dn: cn=wifi,ou=groups,dc=mydomain,dc=net
objectClass: posixGroup
gidNumber: 10002
cn: wifi
memberUid: user1
memberUid: user2

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

      I have put the folowing conf in the pfsense/freeradius :

      ldap {
	server = "192.168.yy.xx"
	port = "389"
	identity = "cn=admin,dc=mydomain,dc=net"
	password = ************
	base_dn = "dc=mydomain,dc=net"

	user {
		base_dn = "${..base_dn}"
		filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
		### access_attr = "dialupAccess" ###
	}
	group {
		base_dn = "${..base_dn}"
		filter = '(objectClass=posixGroup)'
		name_attribute = wifi
		membership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"
		membership_attribute = radiusGroupName
		compare_check_items = yes
		do_xlat = yes
		access_attr_used_for_allow = yes
	}
	profile {
		filter = "(objectclass=radiusprofile)"
		### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
		### profile_attribute = "radiusProfileDn" ###
	}

........

      But user that does not belong to wifi can connect to AP...
      Any idea?

      Thanks

      1 Reply Last reply Reply Quote 0
      • E
        ewok2
        last edited by

        Some improuvment...
        It works but I am not satified!

        I put in the user filter (and desactivate the Group Membership part) :

        (&(uid=%{User-Name})(memberOf=cn=wifi,ou=group,dc=mydomain,dc=net))

        => It work fine... only user in "wifi" group can be connected
        => I have to add the "menberOf" module in ladap

        I have know the following ldap/freeradius conf :

        ldap {
	server = "ldap.mydomain.net"
	port = "389"
	identity = "cn=admin,dc=mydomain,dc=net"
	password = 'xxxx
	base_dn = "dc=mydomain,dc=net"

	user {
		base_dn = "${..base_dn}"
		filter = "(&(uid=%{User-Name})(memberOf=cn=wifi,ou=group,dc=mydomain,dc=net))"
	}
	group {
		base_dn = "${..base_dn}"
		filter = '(objectClass=posixGroup)'
	}
	profile {
		filter = "(objectclass=radiusprofile)"
	}

        I think there is a better way... if some knows how ?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.