Hello guys,
i’am doing a final project for my Computer-IT Education. The Topic is “Implementation of a Radius Server and a 2FA System to secure a VPN”.
So far I’ve setup a privacyIDEA Server with the Freeradius Plugin (and Firewall and Windows Server2019 + Windows Client). All AD Users are synced with privacyIDEA. Everything is working and every AD-User needs to authenticate with Password + OTP Token to login via Radius.
Furthermore i want only users who belongs to a specific AD Group, are allowed to login via Radius.
“radius_auth” should the be the group which is allowed to login.
My rlm_perl.ini is configured like this:
This are my policies in privacyIDEA:
The Freeradius Logs shows:
“No match, no Radius attribute Filter-ID added”
“No match, no Radius attribute otherAttribute added”
“No match, no Radius attribute other Class added”
What am I doing wrong?
Appreciate any help 
Check your PrivacyIDEA resolver, do you have memberOf configured in the multivalue attributes section? The FreeRADIUS plugin does not talk to Active Directory, only to PrivacyIDEA. PrivacyIDEA only pulls a limited set of AD attributes from AD (or whatever directory service you use). In order to pull more values, you have to instruct PrivacyIDEA to do so in the user resolver.
Here’s the section in the documentation that discusses user resolvers, go down to the section on AD and carefully read about attribute mapping and the multivalue attribute mapping.
2 Likes
Hi @Tomahawk
Your original post sounds as if you would not need such a comlicated setup.
If you only want a certain group of users from AD in your scenario, then you could also limit the users, which you are actually fetching from AD.
Users who are not found by the resolver would not be able to login via RADIUS, since these users would be unknown to privacyIDEA.
You can limit the users by the LDAP search filter like
(sAMAccountName=*)(memberOf=CN=radius_users,cn=users,dc=example,dc=com)
2 Likes
Thanks for your help, this seems much easier!
Now everything is working as expected 
1 Like
Hello, I have a slightly different scenario, I need all the users to be able to enroll but a subset (part of a AD group) to be able to authenticate.
I created 2 LDAP resolvers, one with all users and the other one with a memberof filter.
I assigned the first resolver to the user policy and the filtered resolver to the authentication policy thinking that the radius authentication will fail if the user is not part of the AD group.
Users can however authenticate even if they are not part of the AD group. Am I missing something? Should I use something else to achieve the desired behavior?
Thanks
