FreeRadius 3.0.13 + Google Auth + SSSD + Active Directory - Filter via AD security groups

I am a newbie to FreeRadius, so my knowledge is not in-depth. I am trying to configure a central radius to handle any network based systems (switches, routers, firewalls, & VPN) to authenticate end-users when they are trying to SSH and/or VPN into the system. All of my equipment supports radius.

Environment:

• OS = CentOS 7
• FreeRadius = 3.0.13
• google-authenticator-libpam = 1.09
• I did not post my config files as they are exactly covered by the reference link. I will post them in a follow-up post for ease of reading

Reference: I followed this page to get the majority of the system operational (SSLVPN Two - Factor Authentication with Google Authenticator

What is working:

• Using radtest, I can authenticate with an AD based user with their AD password+OTP
• Was able to get a network switch authenticate and access-accept reply message to include custom VSA for user group (used unlang within the post-auth area based only on the user-name). Not ideal but just for testing the concept.

Next Steps (the question): I want to be able to ultimately decide if the end-user is granted access to VPN or switch via AD security groups. So from my understanding, I could perform this within the auth module or the post-auth. I believe the correct place would be in the post-auth possible using unlang (but correct me if this is not the general area to do this). I don't know how/where I need to perform the LDAP lookup to get the user-name AD security group info. In theory, once I have the user's name & group info, these can be used in multiple filters to declare if they get access to a group of systems. Thanks

So I figured out how to accomplish what I was trying to do.

1. Configure /etc/raddb/clients.conf

2. Add the option under each client of virtual_server = custom_vs01

3. Duplicate (copy do not rename) /etc/raddb/sites-available/default to /etc/raddb/sites-available/custom_vs01

4. Edit custom_vs01. Change the server block to match the file. orig: server default { new: server custom_vs01 {

5. Change the port for the AUTH and ACCT to an actual port (E.g. 511812 & 511813)

6. In the post-auth section; add unlang to look for LDAP group So basically if the authenticated user is not part of either of the AD groups, then we update the control and reject them from access

   post-auth {
     update {
       &reply: += &session-state:
     }
   -sql
   exec
   remove_reply_message_if_eap
   # Custom post-auth policies
     if (LDAP-Group == "AD_Group_SystemAdmins") {
       update reply {
         Class := "AD_Group_SystemAdmins"
       }
     }
     elsif (LDAP-Group == "AD_Group_SystemUsers") {
       update reply {
         Class := "AD_Group_SystemUsers"
       }
      }
     else {
       update reply {
         Reply-Message = "Not authorized to access this system"
       }
       update control {
         Auth-Type := "Reject"
       }
      }