2015-05-12 11:51 GMT+02:00 Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de>:
Hello again
I have this (LDAP string has been modified because of security considerations)
server macauth {
authorize { preprocess
# clean the Calling-Station-ID rewrite_calling_station_id
# now authenticate against LDAP if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } }
As Matthew wrote you're sending an Access-Accept as soon as the Calling-Station-Id is found in LDAP and that doesn't work. The easiest fix would be to send "noop" instead so that FR can continue doing it's stuff (which is required for a complete 802.1x session) and only send a reject when the Calling-Station-Id is not found in LDAP. So the above code would look like if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept noop }