separating Users?

John Dennis jdennis at redhat.com
Mon Nov 30 23:28:02 CET 2009


On 11/30/2009 05:07 PM, freeradius at corwyn.net wrote:
> At 03:27 PM 11/30/2009, David Mitchell wrote:
>> 1) Don't specify the Auth-Type. You still want to check the password I
>> assume. I think your config will let in any user who is in group
>> "Group1" irrespective of the supplied password.
>
> Sigh. Here I was all excited that I had everything working, and was
> merrily working on my docs and making them into a HOWTO. And you're
> right on target. Correct user ID any password permits access.
>
> So here's my users file once I take that out:
> DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == "Infrastructure"
> Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
> DEFAULT Auth-Type = ntlm_auth
>
> And now it doesn't work.
> "Authentication failed".
>
> If I switch the order I get:
> "Authorization failed"

You need to set fall-through so that you still do per user processing. 
This is documented in the raddb/users file and you should also read 
doc/processing_users_file

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list