99% of my config authenticates against ldap. There are certain situations (mainly authenticating our old phones) where I need to have mac auth as well. Both methods are authenticating fine. The problem is that I would like for freeradius to not search ldap when the "if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))" comes back as TRUE. As the config is now (output below), it runs the condition and regardless of the outcome it performs a search against ldap for the mac, which will always fail and causes unnecessary queries.<br>
<br>How can I accomplish this?<br><br>++[eap] returns noop<br>++[unix] returns notfound<br>++[files] returns noop<br>++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))<br>?? Evaluating (Service-Type == 'Call-Check') -> FALSE<br>
expand: ^%{Calling-Station-ID}$ -> ^00-24-d6-a6-ce-ce$<br>?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE<br>++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE<br>
++- entering if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) {...}<br>+++[control] returns noop<br>++- if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop<br>
++[chap] returns noop<br>[ldap] performing user authorization for 00-24-d6-a6-ce-ce<br>[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> 00-24-d6-a6-ce-ce<br>[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=00-24-d6-a6-ce-ce)<br>[ldap] expand: o=kasd -> o=kasd<br> [ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br> [ldap] attempting LDAP reconnection<br> [ldap] (re)connect to <a href="http://ldap.company.com:389">ldap.company.com:389</a>, authentication 0<br> [ldap] setting TLS CACert File to /etc/raddb/certs/CA.pem<br>
[ldap] starting TLS<br> [ldap] bind as cn=radmin,o=org/<password> to <a href="http://ldpa.company.com:389">ldpa.company.com:389</a><br> [ldap] waiting for bind result ...<br> [ldap] Bind was successful<br> [ldap] performing search in o=org, with filter (cn=00-24-d6-a6-ce-ce)<br>
[ldap] object not found<br>[ldap] search failed<br> [ldap] ldap_release_conn: Release Id: 0<br>++[ldap] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = CSID<br>+- entering group CSID {...}<br>++? if (Chap-Password)<br>? Evaluating (Chap-Password) -> FALSE<br>++? if (Chap-Password) -> FALSE<br>++- entering else else {...}<br>
+++[ok] returns ok<br>++- else else returns ok<br>Login OK: [00-24-d6-a6-ce-ce] (from client kasd port 0 cli 00-24-d6-a6-ce-ce)<br>+- entering group post-auth {...}<br>++[ldap] returns noop<br>++[exec] returns noop<br>++? if (control:Auth-Type == 'CSID')<br>
? Evaluating (control:Auth-Type == 'CSID') -> TRUE<br>++? if (control:Auth-Type == 'CSID') -> TRUE<br>++- entering if (control:Auth-Type == 'CSID') {...}<br>[authorized_macs] expand: %{Calling-Station-ID} -> 00-24-d6-a6-ce-ce<br>
[authorized_macs] users: Matched entry 00-24-d6-a6-ce-ce at line 1<br>+++[authorized_macs.authorize] returns ok<br>+++? if (!ok)<br>? Evaluating !(ok) -> FALSE<br>+++? if (!ok) -> FALSE<br>++- if (control:Auth-Type == 'CSID') returns ok<br>
Sending Access-Accept of id 65 to 10.1.2.85 port 53168<br> Reply-Message = "MyLaptop"<br> Service-Type := Call-Check<br> Filter-Id = "Students"<br>Finished request 0.<br><br>