It seems the default is Accept in `post-auth` section unless you reject it explicitly. On Fri, Mar 30, 2018 at 3:01 PM, luckydog xf <luckydogxf@gmail.com> wrote:
hi,
A weird thing is that I use LDAP to auenticate Network devices and SuperMicro Server.
Code talks, see below, SuperMicro presents its NAS IP as 127.0.0.1,while Network device isn't.
======== SECTION: post-auth =====================
# Ref NO: 1 if (&LDAP-Group == "network-2" && &NAS-IP-Address != "127.0.0.1") { update reply { &Service-Type = "NAS-Prompt-User", &Huawei-Exec-Privilege = "2", &Login-Service = 50,
} }
#Ref NO: 2 if (&LDAP-Group == "mgmt-console" && &NAS-IP-Address == "127.0.0.1") { update reply {
&Attr-26 = 0x483D342C20493D34 } }
#Ref No: 3 else { update reply {
&Reply-Message = "%{User-Name} is not allowed to access %{NAS-IP-Address}."
}
reject }
===================================================
Apparently if user exists in both network-2 and mgmt-console groups of LDAP, the trick thing occurs.
First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates, while NAS isn't 127.0.0.1(I'm logging in network device), Ref No.2 isn't true, it comes to `else` , AKA Ref NO.3, user is denied by network device.
Any way to handle this situation?
I spend the whole day to do this, but no progress made yet.
Thanks.