Allow only AD-User with specific AD Group to login via Freeradius

Hello guys,

i’am doing a final project for my Computer-IT Education. The Topic is “Implementation of a Radius Server and a 2FA System to secure a VPN”.
So far I’ve setup a privacyIDEA Server with the Freeradius Plugin (and Firewall and Windows Server2019 + Windows Client). All AD Users are synced with privacyIDEA. Everything is working and every AD-User needs to authenticate with Password + OTP Token to login via Radius.

Furthermore i want only users who belongs to a specific AD Group, are allowed to login via Radius.
“radius_auth” should the be the group which is allowed to login.

My rlm_perl.ini is configured like this:

This are my policies in privacyIDEA:

The Freeradius Logs shows:
“No match, no Radius attribute Filter-ID added”
“No match, no Radius attribute otherAttribute added”
“No match, no Radius attribute other Class added”

What am I doing wrong?
Appreciate any help :slight_smile:

Check your PrivacyIDEA resolver, do you have memberOf configured in the multivalue attributes section? The FreeRADIUS plugin does not talk to Active Directory, only to PrivacyIDEA. PrivacyIDEA only pulls a limited set of AD attributes from AD (or whatever directory service you use). In order to pull more values, you have to instruct PrivacyIDEA to do so in the user resolver.

Here’s the section in the documentation that discusses user resolvers, go down to the section on AD and carefully read about attribute mapping and the multivalue attribute mapping.

2 Likes

Hi @Tomahawk
Your original post sounds as if you would not need such a comlicated setup.
If you only want a certain group of users from AD in your scenario, then you could also limit the users, which you are actually fetching from AD.
Users who are not found by the resolver would not be able to login via RADIUS, since these users would be unknown to privacyIDEA.

You can limit the users by the LDAP search filter like

(sAMAccountName=*)(memberOf=CN=radius_users,cn=users,dc=example,dc=com)
2 Likes

Thanks for your help, this seems much easier!

Now everything is working as expected :ok_hand: :+1:

1 Like