Re: denying access to user from device

["Lin Richardson" <lin@xmission.com>]

Where is your "files" declaration in the authorize section?  Do you see the server looking at your users file in the debug messages?  If the users file is never processed, I don't think Autz-Type will be set as you intend.

Try 
authorize {
         preprocess
        files
        eap
         mschap
         Autz-Type LDAP {
                 ldap
         }
         Autz-Type LDMS {
                 ldap
                 sql
         }
}


Regards,
Lin

On 9/15/06, Rob Shepherd <rob@techniumcast.com > wrote:

Garrett.Marks@wichita.edu wrote:
>
>
>
>  > Rob Shepherd wrote:
>  > TYPO!
>  >
>  > DEFAULT HuntGroup-Name == ciscovpnc
>  >          Autz-Type := ldap
>  >
>  > ...is how it looks in raddb/user.
>
> You need to put the Autz-Type on the first line as a check item.
>
> DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap

Thanks to Alan D. and Garret M. for their comments..

However , neither ldap nor sql are checked at all in any case now.  I've
not quite got it right....

I've since ditched declaring raddb/huntgroups, as a simplifying
exercise. I'm checking for NAS-IP-Address instead in raddb/users.

raddb/users now looks like this


DEFAULT Auth-Type := PAP
         Fall-Through = yes

# wlan controller - needs LDAP and MySQL
DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS
         Tunnel-Type = VLAN,
         Tunnel-Medium-Type = IEEE-802,
         Fall-Through = yes

# vpn concentrator - only LDAP
DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP
         Fall-Through = yes


radiusd has this..

authorize {
         preprocess
         eap
         mschap
         Autz-Type LDAP {
                 ldap
         }
         Autz-Type LDMS {
                 ldap
                 sql
         }
}

The modules section is as it was when wireless was working. I can see
with -X that the ldap and sql modules are instantiated fine.

Here's the only processing that is done.

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.


If anybody would be so kind as to point me in the right direction....

Thanks IA

Rob

--
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
rob@techniumcast.com | 01248 675024 | 077988 72480
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html