On Mon, Feb 1, 2010 at 10:50 PM, Amaru Netapshaak <postfix_amaru@yahoo.com> wrote:
Anyway, if you still need "accept all", Alan's example should work. Put something like this on authorize section
ldap if (notfound) { update control { Auth-Type = Accept } update reply { Tunnel-Private-Group-ID = 10 } }
that way if the user is NOT in ldap, it will simply return Access-Accept with attribute Tunnel-Private-Group-ID = 10 (you can add other required reply attributes there as well).
I tried your suggestion, still returns REJECT.
Where did you put it? Perhaps you put it in the wrong section? I tested it with radtest, and it works (returns Accept). But if you're testing it with actual EAP clients it needs to be in authorize section of sites-enabled/inner-tunnel. Also, running radius in debug mode might help. It'll help identify whether the ldap module actually returns notfound during authorize, or returns something else. -- Fajar