Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus,
the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute.
Mart
This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'. I think. Anyway, it works. Thanks for all your help. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.