Ahh ok, i see it now. I've not tested the vpn yet, just the admin login. I've been trying to figure out my 3x login attempts issue before moving forward. Your absolutely right, I've fixed that now. Thanks, Dan On Mon, Jul 27, 2015 at 9:43 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 27, 2015, at 9:12 AM, D C <dc12078@gmail.com> wrote:
I was trying to keep the vpn logic separate from everything else.
That idea isn't implemented in the policy you wrote.
So first I handle my firewall which sends the Connect-Info attribute. If Connect-Info is vpn-ssl, then it's a vpn login, and I want only members of my vpn groups to be allowed. Next I do the same logic for my admin logins.
That's nice, but you're missing my point. The logic you posted does:
a) allow "good" users to be accepted
it does NOT do:
b) reject "bad" users
That's why "bad" users are being accepted. They're seen as bad, and then you have it do "ok", instead of "reject".
As for the authorize issue I'm having, I'm leaning towards the problem being on the firewall right now. I swapped out my sites-enabled/default for the original one before I made any changes, and then just uncommented the lamuser auth-type reject clause from the users file. If I try to login as lameuser, I still get 3x failed logins.
See what the debug output says.
The logic should be simple:
if (user is trying to do X and LDAP group is not "users who are allowed to do X") { reject }
That will allow "good" users to do X, and prevent "bad" users from doing X.
I will take this up with the firewall team and see if they have some kind of retry logic going on.
Thank you Alan, you have been most helpful throughout this.
It's what I do.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html