On Jul 26, 2015, at 3:01 PM, D C <dc12078@gmail.com> wrote:
Ah ok, I tried authenticate with no luck. Now I'm using authorize, but still having the same issue. It looks like the ldap module is authorizing the request, so even now I am still too late in the pipeline.
Most of the "ldap" lines are it doing the LDAP-Group checks.
Here is my config with comments removed, and the output of radiusd -X from just "one" login attempt. I am expecting it to fail because my vpn user is not authorized for an admin login. However, I am getting 3x login attempts which i believe is because ldap bind authorized it.
You've changed the unlang rules you posted before. Why? As an example, what do you expect this to do? switch Connect-Info { case "vpn-ssl" { if ((LDAP-Group == "superAdmins-VPN") || (LDAP-Group == "readAdmins-VPN") || (LDAP-Group == "users-VPN")) { update reply { Reply-Message += "VPN access granted by LDAP group membership." } ok } else { update reply { Reply-Message += "VPN access denied by LDAP group membership." } ok } } So... if the LDAP group *doesn't* match, you have it do "ok", instead of "reject". Why? Alan DeKok.