Elizabeth Steinke wrote:
I tested this rule with radtest (Making the necessary modifications and it worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject
Then it's fine.
Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this?
If it works... it's fine. The big rants about not forcing Auth-Type are because of the people who force it without understanding the consequences... and then complain when it doesn't work.
While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
It's good practice. But doing all of those LDAP-Group queries can get expensive. i.e. you're doing *two* queries instead of one. You could fix this with "unlang": if (Huntgroup-Name == "vpn-pix") { if (LDAP-Group == ...) { update control { Auth-Type := ntlm_auth_plaintext } } else { reject } } Only one LDAP-Group check is more efficient. Alan DeKok.