Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

[Alan DeKok]

On Dec 15, 2015, at 1:30 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> I'm not sure OpenSWAN and StrongSwan are the same software.

  They're based on the same FreeSWAN code base.

> As explained in the first lines of this article :
> https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
> Strongswan only redirects EAP packets to the radius. The EAP packets
> come directly from users.

  Please read the page again.  That's EAP.  It's NOT sending RADIUS packets from the end users to FreeRADIUS.

  StrongSWAN is sending RADIUS packets to FreeRADIUS.  StrongSWAN is the RADIUS client.

> I don't know exactly what 'redirect' means here. Strongswan may modify
> on the fly some fields to let Freeradius imagine strongswan actually
> has sent radius packets.

  No.

> Nevertheless I agree that NAS-IP-Address should always be the IP of
> strongswan server instead of the users' one.

  Yes.  That's what the RFCs say the NAS-IP-Address should be.

> I've changed the filter and now the RADIUS only authorize users with
> networkAccess corresponding to NAS-Port-Id. It's ok.
> If not, LDAP isn't returning any result and Freeradius still go in the
> authenticate section instead of rejecting directly the request in the
> Authorize section. Is this correct ?

  Yes.  LDAP is just a database.

> In this particular case, Freeradius would better to reject the request
> in the Authorize section, wouldn't it ?

  Not for EAP.

  And the server is NOT set up to automatically reject users who aren't found in the database.  *You* can configure that, but it's not the default.  This is because some people have users in multiple databases.  And they want the server to try them all, instead of just rejecting a user who isn't found in the first database.

  Your use-case is not everyone's use-case.

  Alan DeKok.