Hi Ivan, Please see my quick queries inline. I will read more on this and will let you know, meanwhile if you think iam starting in completely wrong way, please advise. On Tue, Sep 16, 2008 at 3:45 PM, <tnt@kalik.net> wrote:
First a few basic things. Are you using a very old version of the server? If you are, unlang is not going to work. If you are not, don't use Auth-Type Local and User-Password but Cleartext-Password as per instructions in users file. [Pavan] I was trying with older Radius Server (1.series)
You can't pass priv level in Reply-Message. You need to consult your NAS documentation to see how it's done. It's usually passed in vendor specific attributes like Cisco avpairs.
[Pavan] YES Agreed. I plan to add such attributes specific to my NAS.
/ets/raddb/users have first entry for each user with correct passwd, followed by wrong passwd(kept it as regular expression *)
xyz Auth-Type := Local , User-password = "xyz" Reply-Message = "successfull level(2)."
xyz Auth-Type := Reject , User-password =~ "*" Reply-Message = "Invalid passwd for xyz(level 2)."
You don't need regexp there. If user entries with passwords weren't matched it means that password is - wrong. No need to check for that.
[Pavan] If NAS has a requirement that - user with privilage level > 2 should not be locked on 4 consecutive invalid attempts. In this case i need the privilage level even if authentication fails to determine if he can be locked or not. Is this the correct way to do this? -- Does maintaining a database of users invalid attemtps count in NAS make sense -- Does the above entry look like an invalid/inconsistent entry.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html