On Dec 19, 2015, at 7:53 AM, François Lacombe <fl.infosreseaux@gmail.com> wrote:
2015-12-17 1:46 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Dec 16, 2015, at 6:34 PM, François Lacombe <fl.infosreseaux@gmail.com> wrote:
As you suggest it, how can I prevent freeradius to go in authenticate section when LDAP return no user record ?
For EAP, you can't. EAP requires that the server return an EAP failure at the appropriate stage.
The EAP protocol is designed to work a certain way. Forcing it to behave in a different way means that nothing good will happen.
Is this really an EAP matter ?
Yes. See where I said "the EAP protocol is designed to work a certain way".
Freeradius won't go in authenticate section when the access_attribute is set to false in the LDAP user account with access_positive = yes in ldap module conf. Because the account is locked out.
Sure. But bailing early on an EAP authentication *might* work. i.e. it won't work by design.
It would be great to reject the request the same way when no user is found in the ldap.
See where I said "people other than you use FreeRADIUS". Your needs are *not* everyone else's needs. If you want it to bail early when no user is found in LDAP, this is trivial. And documented. See "man unlang". ldap if (notfound) { reject } This can cause problems for some EAP clients. But it's your network. If you want to violate the protocols and break things, it's up to you. Alan DeKok.