Fantastic! Thanks so much. unlang looks pretty interesting. Ill need to do more reading. Is there a book coming out on freeradius 2 soon? I've gotten alot of good info from the oreilly freeradius 1 book. Thanks! Liz On Sun, Oct 19, 2008 at 11:17 AM, Alan DeKok <aland@deployingradius.com>wrote:
Elizabeth Steinke wrote:
I tested this rule with radtest (Making the necessary modifications and it worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject
Then it's fine.
Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this?
If it works... it's fine.
The big rants about not forcing Auth-Type are because of the people who force it without understanding the consequences... and then complain when it doesn't work.
While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
It's good practice. But doing all of those LDAP-Group queries can get expensive. i.e. you're doing *two* queries instead of one.
You could fix this with "unlang":
if (Huntgroup-Name == "vpn-pix") { if (LDAP-Group == ...) { update control { Auth-Type := ntlm_auth_plaintext } } else { reject }
}
Only one LDAP-Group check is more efficient.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html