LDAP(Active Directory) password AND groups not working together

duckeo duckeo at gmail.com
Mon Jun 26 08:37:05 CEST 2006


On 6/26/06, duckeo <duckeo at gmail.com> wrote:
> The aim is to authenticate users to their MS active directory account
> via LDAP, and then check that the user is a member of the WirelessVPN
> group -- if these two conditions meet then the user is granted access.
>
> What's happening at the moment is as long as the user EXISTS the
> authentication will pass, even if the password is incorrect. If the
> useraccount does not exist it will fail.

Found the problem, looks like I'm not supposed to have Auth-Type :=
Accept at the end of the lines?

I now have:
# successful, user has LDAP password and Group access
DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255

# User does not have the correct password
DEFAULT Auth-Type != LDAP, Auth-Type := Reject
        Reply-Message = "Access Rejected - Please check your username
and password and try again."

# User is not a member of the correct group
DEFAULT Ldap-Group == "RadiusWirelessVPN", Auth-Type := Reject
        Reply-Message = "Access Rejected - You do not have permission
to log onto this service."

#default reject
DEFAULT Auth-Type := Reject
        Reply-Message = "Access Rejected - Please check your username
and password and try again."

Is this the correct way to be handling errors? Functionally it works
but it is not sending back the correct messages (i.e. hitting the
correct rule) upon failing



More information about the Freeradius-Users mailing list