Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus, the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.