denying access to user from device

Lin Richardson lin at xmission.com
Fri Sep 15 17:07:55 CEST 2006


Where is your "files" declaration in the authorize section?  Do you see the
server looking at your users file in the debug messages?  If the users file
is never processed, I don't think Autz-Type will be set as you intend.

Try
authorize {
        preprocess
        files
        eap
        mschap
        Autz-Type LDAP {
                ldap
        }
        Autz-Type LDMS {
                ldap
                sql
        }
}


Regards,
Lin



On 9/15/06, Rob Shepherd <rob at techniumcast.com> wrote:
>
> Garrett.Marks at wichita.edu wrote:
> >
> >
> >
> >  > Rob Shepherd wrote:
> >  > TYPO!
> >  >
> >  > DEFAULT HuntGroup-Name == ciscovpnc
> >  >          Autz-Type := ldap
> >  >
> >  > ...is how it looks in raddb/user.
> >
> > You need to put the Autz-Type on the first line as a check item.
> >
> > DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap
>
> Thanks to Alan D. and Garret M. for their comments..
>
> However , neither ldap nor sql are checked at all in any case now.  I've
> not quite got it right....
>
> I've since ditched declaring raddb/huntgroups, as a simplifying
> exercise. I'm checking for NAS-IP-Address instead in raddb/users.
>
> raddb/users now looks like this
>
>
> DEFAULT Auth-Type := PAP
>          Fall-Through = yes
>
> # wlan controller - needs LDAP and MySQL
> DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS
>          Tunnel-Type = VLAN,
>          Tunnel-Medium-Type = IEEE-802,
>          Fall-Through = yes
>
> # vpn concentrator - only LDAP
> DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP
>          Fall-Through = yes
>
>
> radiusd has this..
>
> authorize {
>          preprocess
>          eap
>          mschap
>          Autz-Type LDAP {
>                  ldap
>          }
>          Autz-Type LDMS {
>                  ldap
>                  sql
>          }
> }
>
> The modules section is as it was when wireless was working. I can see
> with -X that the ldap and sql modules are instantiated fine.
>
> Here's the only processing that is done.
>
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>    modcall[authorize]: module "preprocess" returns ok for request 0
>    rlm_eap: No EAP-Message, not doing EAP
>    modcall[authorize]: module "eap" returns noop for request 0
>    modcall[authorize]: module "mschap" returns noop for request 0
> modcall: leaving group authorize (returns ok) for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
>
>
> If anybody would be so kind as to point me in the right direction....
>
> Thanks IA
>
> Rob
>
> --
> Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
> rob at techniumcast.com | 01248 675024 | 077988 72480
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060915/3ea7f364/attachment.html>


More information about the Freeradius-Users mailing list