Matching multiple LDAP-groups during post-auth

Chris Wopat me at falz.net
Wed May 19 15:48:25 CEST 2021


Digging up this thread as I finally am testing with FreeRADIUS 3. I've
ported our config over for ldap, things working great in testing.

However, I'd like to re-address my last note, which was with the
pseudocode of if/else + if/else, we still get a reject.

See below:

On Tue, Apr 6, 2021 at 12:43 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Apr 6, 2021, at 10:35 AM, Chris Wopat <me at falz.net> wrote:
> >
> > Thanks for the sample config. Just chiming in to say that this
> > *mostly* worked, the last item, which appears to be checking the
> > existence of "Local-Reject-Check" within the reply, didn't work and
> > I'd always get a reject.

Due to my brain comprehending output of `radiusd -X` in v3 *much*
better, what appears to be happening is there's never an explicit
'Accept' with the method suggested at:

http://lists.freeradius.org/pipermail/freeradius-users/2021-March/099690.html

In that case, if a member of 'network 1' and 'optical 1', it
authenticates. If a member of one but not the other,
Local-Reject-Check is populated and it will always reject. Below is a
snippet when one is a member of 'network*' group but not 'optical*'
group (omitted the network* stuff)

(9)     User is not a member of "optical-users"
(9)     elsif (LDAP-Group == "optical-users")  -> FALSE
(9)     else {
(9)       update reply {
(9)         Local-Reject-Check += "No matching optical"
(9)       } # update reply = noop
(9)     } # else = noop
(9)     if (&reply:Local-Reject-Check) {
(9)     if (&reply:Local-Reject-Check)  -> TRUE
(9)     if (&reply:Local-Reject-Check)  {
(9)       [reject] = reject
(9)     } # if (&reply:Local-Reject-Check)  = reject
(9)   } # post-auth = reject
(9) Using Post-Auth-Type Reject

I'm wondering if i should look at doing one of these:
1) Explicitly state a "Post-Auth-Type Accept" and somehow change the if logic
2) Somehow mix in vendor attribute to match device type (juniper,
cisco, whatever) and *only* look for the network* group when it's a
network vendor?

I feel as though there's a much simpler answer to both of those, but I
can't see the forest for the trees.

Cheers,
Chris


More information about the Freeradius-Users mailing list