Re: denying access to user from device

Garrett.Marks@wichita.edu · Thu, 14 Sep 2006 14:33:35 -0500

> Rob Shepherd wrote:

> TYPO!

> 

> DEFAULT HuntGroup-Name == ciscovpnc

>          Autz-Type := ldap

> 

> ...is how it looks in raddb/user.

You need to put the Autz-Type on the first line as
a check item.
DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type :=
ldap
If I understand correctly, with the Autz-Type on the
second line you are trying to set it as a reply item.  However, Autz-Type
is a server configuration attribute not a standard RADIUS attribute that
a client (NAS) would understand, which is why you need to set it on the
first line.  
I've been using a similar configuration for awhile,
except we use multiple ldap modules and I also set Auth-Type as well as
the Autz-Type.  

> Oh, and I tried various combos of

> 

> Autz-Type ldap{

>    ldap

> }

> 

> in authorize{ too. No joy.

This looks fine to me, probably just need to fix the
DEFAULT line.