Hello Alan, Thanks for your time. Another question, although after those two changes [mentioned above], the server is still allowing the GUEST users to login.What i am doing wrong? Any help will be thankfully appreciated. Have a nice day! __________________________________________________________________________________________________________________ (0) Received Access-Request Id 164 from 127.0.0.1:56127 to 127.0.1.1:1812 length 76 (0) User-Name = "riedel" (0) User-Password = "testtest1A" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 1812 (0) Message-Authenticator = 0xf39ecbe7fd56fcc239189fe5e548c9cc (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "riedel", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop *(0) files: Searching for user in group "Gast"* rlm_ldap (ldap): Reserved connection (0) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=riedel) (0) files: Performing search in "ou=people,dc=fr" with filter "(uid=riedel)", scope "sub" (0) files: Waiting for search result... (0) files: User object found at DN "uid=riedel,ou=people,dc=uni-potsdam,dc=de" (0) files: Checking user object's memberOf attributes (0) files: Performing unfiltered search in "uid=riedel,ou=people,dc=fr", scope "base" (0) files: Waiting for search result... (0) files: Search returned no results (0) files: Can't check membership attributes, user object not found rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) files: User is not a member of "Gast" (0) [files] = noop rlm_ldap (ldap): Reserved connection (1) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=riedel) (0) ldap: Performing search in "ou=people,dc=fr" with filter "(uid=riedel)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "uid=riedel,ou=people,dc=fr" (0) ldap: Processing user attributes (0) ldap: control:NT-Password := 0x3937316136326634626234393063623639653936363163616333356132323734 rlm_ldap (ldap): Released connection (1) (0) [ldap] = updated (0) if (Ldap-Group == "Gast") { (0) Searching for user in group "Gast" rlm_ldap (ldap): Reserved connection (2) (0) Using user DN from request "uid=riedel,ou=people,dc=fr" (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=riedel,ou=people,dc=fr", scope "base" (0) Waiting for search result... (0) Search returned no results (0) Can't check membership attributes, user object not found rlm_ldap (ldap): Released connection (2) (0) User is not a member of "Gast" (0) if (Ldap-Group == "Gast") -> FALSE (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" NT-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop *(0) Sent Access-Accept Id 164 from 127.0.1.1:1812 <http://127.0.1.1:1812> to 127.0.0.1:56127 <http://127.0.0.1:56127> length 0* (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 164 with timestamp +5 On Wed, Sep 22, 2021 at 2:49 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 22, 2021, at 3:06 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
I want to block our Guest users to use our VPN and i wrote following under / sites-enable/default.
*ldap*
* if (Ldap-Group [*] == "Gast") { update control { AUth-Type = reject } }*
Why add the [*] ?
All of the documentation and examples say to just use what you did here:
and under /freeradius/users
*DEFAULT Ldap-Group == "Gast", Auth-Type := Reject Fall-Through = yes*
There's no [*] here, which is correct.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html