things dont just stop after each if statement - its all fall-through - but in post-auth you've already auth'd , you need to either be messing with control or do this in the normal auth phase instead On 30 March 2018 at 08:37, luckydog xf <luckydogxf@gmail.com> wrote:
It seems the default is Accept in `post-auth` section unless you reject it explicitly.
On Fri, Mar 30, 2018 at 3:01 PM, luckydog xf <luckydogxf@gmail.com> wrote:
hi,
A weird thing is that I use LDAP to auenticate Network devices and SuperMicro Server.
Code talks, see below, SuperMicro presents its NAS IP as 127.0.0.1,while Network device isn't.
======== SECTION: post-auth =====================
# Ref NO: 1 if (&LDAP-Group == "network-2" && &NAS-IP-Address != "127.0.0.1") { update reply { &Service-Type = "NAS-Prompt-User", &Huawei-Exec-Privilege = "2", &Login-Service = 50,
} }
#Ref NO: 2 if (&LDAP-Group == "mgmt-console" && &NAS-IP-Address == "127.0.0.1") { update reply {
&Attr-26 = 0x483D342C20493D34 } }
#Ref No: 3 else { update reply {
&Reply-Message = "%{User-Name} is not allowed to access %{NAS-IP-Address}."
}
reject }
===================================================
Apparently if user exists in both network-2 and mgmt-console groups of LDAP, the trick thing occurs.
First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates, while NAS isn't 127.0.0.1(I'm logging in network device), Ref No.2 isn't true, it comes to `else` , AKA Ref NO.3, user is denied by network device.
Any way to handle this situation?
I spend the whole day to do this, but no progress made yet.
Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html