blockage in my Freeradius configuration

Yves Deuscher deusyv at gmail.com
Fri Jan 31 15:45:51 CET 2014 

Hello,
I can write to you because I found a wealth of important information about the
list
We use 2 freeradius servers for 2 different things
-control access to our switches
and
-secure wifi

Our access control switches, we have a fleet of 4000 switches allocate a
hundred entity, each entity's IT department (DEP) headed by a central
service, we (central) wish to have access to all switches and limit access
computer services solely to their switches.

"users" are in ldap and assigned to groups unix DEP25, DEP29, DEP57
... the central
unit is in all groups.

in Users : we compare the shortname of the client file to unix group

DEFAULT         Group == "%{Client-Shortname}", Huntgroup-Name == "3com",
Login-IP-Host != "127.0.0.1"
                Login-Service = 50,
                Service-Type = 7,
                huawei-exec-privilege = 3,
                3Com-User-Access-Level = 3,
                Reply-Message = "Bonjour, %{User-name}"


in client.conf

client 192.168.25.0/22 {
        secret          = XXXXXXXXXX
        description     = reseau-25-Besancon
        shortname     = DEP25
}

client 192.168.29.0/22 {
        secret          = XXXXXXXXXX
        description     = reseau-29-Brest
        shortname     =DEP29
}

client 192.168.57.0/22 {
        secret          = XXXXXXXXXX
        description     = reseau-57-Metz
        shortname     =DEP57
}


For DEP commissioned the first connection goes well


Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop
Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated
Thu Jan 30 23:48:28 2014 : Info: [files]        expand: %{Client-Shortname}
-> DEP25
Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at
line 208
Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok


for the following connections

Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop
Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated
Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at
line 208
Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok


so the comparison is not recalculated and if a user wants to authenticate to
DEP25 switches DEP57 it is allowed then it should not

I miss something for the dynamic substitution takes place at each connection
or I can not be the problem taken in the right direction have?

More I try to configure a secure WPA / TTLS working with all key calculated
installing Freeradius. by cons with mine I have a CA_unknown error
do you have a clue?

Thanking you in advance for any information you provide me
sincerely
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140131/cb78d163/attachment-0001.html>

More information about the Freeradius-Users mailing list