Ok thanx for your reply .. I think that I now start to better understand how the this work.. So policies need/can be written within the auth so we can reject request base on the person's group membership and huntgroup .. So base on this I made this simple switch case that I added to the authorize section after the ldap module switch Huntgroup-Name { case "wireless1" { if (Ldap-Group != "admin-galaxie") { reject } } case "wireless2"{ if (Ldap-Group != "devopsusers") { reject } } case { reject } } However when I test I dont seem to be getting the expecting result. ++[pap] = noop ++switch Huntgroup-Name { ++switch Huntgroup-Name { +++case wireless2 { ++++? if (Ldap-Group != "devopsusers") [ldap] Entering ldap_groupcmp() expand: DC=corp,DC=stingraydigital,DC=com -> DC=corp,DC=stingraydigital,DC=com expand: (&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with filter (&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))) *rlm_ldap::ldap_groupcmp: User found in group devopsusers* [ldap] ldap_release_conn: Release Id: 0 *? Evaluating (Ldap-Group != "devopsusers") -> TRUE* *++++? if (Ldap-Group != "devopsusers") -> TRUE* ++++if (Ldap-Group != "devopsusers") { +++++[reject] = reject ++++} # if (Ldap-Group != "devopsusers") = reject +++} # case wireless2 = reject ++} # switch Huntgroup-Name = reject +} # group authorize = reject Look like the Ldap-Group did found that the user is member of the devopsuser group, which is correct, however, when I do the negative compare (!=) it also return true. I have also tried with "==" got the exact same result, ++[pap] = noop ++switch Huntgroup-Name { ++switch Huntgroup-Name { +++case wireless2 { ++++? if (Ldap-Group == "devopsusers") [ldap] Entering ldap_groupcmp() expand: DC=corp,DC=stingraydigital,DC=com -> DC=corp,DC=stingraydigital,DC=com expand: (&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with filter (&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))) *rlm_ldap::ldap_groupcmp: User found in group devopsusers* [ldap] ldap_release_conn: Release Id: 0 *? Evaluating (Ldap-Group == "devopsusers") -> TRUE* *++++? if (Ldap-Group == "devopsusers") -> TRUE* ++++if (Ldap-Group == "devopsusers") { +++++[reject] = reject ++++} # if (Ldap-Group == "devopsusers") = reject +++} # case wireless2 = reject ++} # switch Huntgroup-Name = reject +} # group authorize = reject Thanx for you help -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2017-02-14 12:03 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster@gmail.com> wrote:
Thanx Matthew, I already had a look at that url but look like it doesn't work.
It works if you follow the documentation.
must be something I am not doing right .. but unsure what ..
I have create a huntgroup which look like this ..
wireless NAS-IP-Address == 10.1.0.81
and my users file only has the following line in it ..
DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
So my understand is that users that aren't member of the wireless-users group shouldn't be granted access to the wireless network/device. But that isn't what happenning .. everyone is granted access
That's not how the "users" file works. Please read the documentation to see how it works.
That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match. It doesn't *do* anything if they match, or if they don't match.
You should write your policies in "unlang". It's clearer:
authorize { ...
# check only the first packet of EAP, and all non-EAP if (!&EAP-Message || !State) { if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) { reject } }
It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html