Fantastic!

Thanks so much. unlang looks pretty interesting. Ill need to do more reading. Is there a book coming out on freeradius 2 soon? I've gotten alot of good info from the oreilly freeradius 1 book.

Thanks!
Liz


On Sun, Oct 19, 2008 at 11:17 AM, Alan DeKok <aland@deployingradius.com> wrote:
Elizabeth Steinke wrote:
> I tested this rule with radtest (Making the necessary modifications  and
> it worked fine.
>
> DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...",
> Auth-Type := ntlm_auth_plaintext
> DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...",
> Auth-Type := Reject

 Then it's fine.

> Is it a good idea to force the auth-type in the users file? is there a
> cleaner way to do this?

 If it works... it's fine.

 The big rants about not forcing Auth-Type are because of the people
who force it without understanding the consequences... and then complain
when it doesn't work.

> While rewriting the rules file I am pairing accept and denies as above.
> Is that necessary or will it turn out to be horribly inefficient?

 It's good practice.  But doing all of those LDAP-Group queries can get
expensive.  i.e. you're doing *two* queries instead of one.

 You could fix this with "unlang":

       if (Huntgroup-Name == "vpn-pix") {
               if (LDAP-Group == ...) {
                       update control {
                               Auth-Type := ntlm_auth_plaintext
                       }
               }
               else {
                       reject
               }

       }

 Only one LDAP-Group check is more efficient.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html