On 6/26/06, duckeo <duckeo@gmail.com> wrote:
The aim is to authenticate users to their MS active directory account via LDAP, and then check that the user is a member of the WirelessVPN group -- if these two conditions meet then the user is granted access.
What's happening at the moment is as long as the user EXISTS the authentication will pass, even if the password is incorrect. If the useraccount does not exist it will fail.
Found the problem, looks like I'm not supposed to have Auth-Type := Accept at the end of the lines? I now have: # successful, user has LDAP password and Group access DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255 # User does not have the correct password DEFAULT Auth-Type != LDAP, Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." # User is not a member of the correct group DEFAULT Ldap-Group == "RadiusWirelessVPN", Auth-Type := Reject Reply-Message = "Access Rejected - You do not have permission to log onto this service." #default reject DEFAULT Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." Is this the correct way to be handling errors? Functionally it works but it is not sending back the correct messages (i.e. hitting the correct rule) upon failing