On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster@gmail.com> wrote:
Thanx Matthew, I already had a look at that url but look like it doesn't work.
It works if you follow the documentation.
must be something I am not doing right .. but unsure what ..
I have create a huntgroup which look like this ..
wireless NAS-IP-Address == 10.1.0.81
and my users file only has the following line in it ..
DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
So my understand is that users that aren't member of the wireless-users group shouldn't be granted access to the wireless network/device. But that isn't what happenning .. everyone is granted access
That's not how the "users" file works. Please read the documentation to see how it works. That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match. It doesn't *do* anything if they match, or if they don't match. You should write your policies in "unlang". It's clearer: authorize { ... # check only the first packet of EAP, and all non-EAP if (!&EAP-Message || !State) { if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) { reject } } It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works. Alan DeKok.