Alan DeKok wrote:
No. the server will automatically reject anyone who isn't authenticated.
As a hint, the default config does *not* have that entry. So adding it is likely "unusual".
You are, of course, correct... :) I believe we resolved this now, however. I removed the default reject and updated the ldap groups with this : DEFAULT Ldap-Group != "cn=vpn,ou=groups,o=myorg", Auth-Type := Reject DEFAULT Ldap-Group == "cn=admin,ou=groups,o=myorg" Class = ADMIN, DEFAULT Ldap-Group == "cn=user,ou=groups,o=myorg" Class = USER,
Yes, they can be. But you're telling the server to *not* check passwords. "Just accept the users... they're fine".
I understand this now... What I have now appears to be working properly. We tested all cases (with/without vpn group, good/bad password)
See raddb/modules/ldap. Group checking is documented in the comments there.
Will do. Thanks a ton for the help...
Alan DeKok.
-- --------------------------- Jason Frisvold xenophage0@gmail.com --------------------------- "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams