On Jul 25, 2015, at 6:48 PM, D C <dc12078@gmail.com> wrote:
Thanks to radiusd -X, I found that my fortigate appliance sends an attribute in the request called "Connect-Info" which distinguishes if it's and vpn login or a admin login.
That's why we recommend reading the debug output. :)
I can do something like this in post-auth which "works"..( ignore typos, i'm going off the top of my head here.) When the user is rejected, the behaviour i see is that I get one Login OK message, followed by two login failures. This is probably because I'm doing this in post-auth as I've read in other posts. I know if I do not allow the ldap group in my users file, I get a single failure with no repeat login attempts.
My question is where can I apply this logic besides post-auth, so that I can handle it before I allow the login?
You can put it into the "authorize" section. Generally, you want to reject "bad" users as early as possible. This means using the "authorize" section.
switch Connect-Info { ...
All that looks fine. Just move it to the "authorize" section. Alan DeKok.