Ah ok, I tried authenticate with no luck. Now I'm using authorize, but still having the same issue. It looks like the ldap module is authorizing the request, so even now I am still too late in the pipeline. Here is my config with comments removed, and the output of radiusd -X from just "one" login attempt. I am expecting it to fail because my vpn user is not authorized for an admin login. However, I am getting 3x login attempts which i believe is because ldap bind authorized it. http://pastebin.com/raw.php?i=UPt435VX http://pastebin.com/raw.php?i=2atLPQxv any thoughts? Thanks, Dan On Sun, Jul 26, 2015 at 7:35 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 25, 2015, at 6:48 PM, D C <dc12078@gmail.com> wrote:
Thanks to radiusd -X, I found that my fortigate appliance sends an attribute in the request called "Connect-Info" which distinguishes if it's and vpn login or a admin login.
That's why we recommend reading the debug output. :)
I can do something like this in post-auth which "works"..( ignore typos, i'm going off the top of my head here.) When the user is rejected, the behaviour i see is that I get one Login OK message, followed by two login failures. This is probably because I'm doing this in post-auth as I've read in other posts. I know if I do not allow the ldap group in my users file, I get a single failure with no repeat login attempts.
My question is where can I apply this logic besides post-auth, so that I can handle it before I allow the login?
You can put it into the "authorize" section.
Generally, you want to reject "bad" users as early as possible. This means using the "authorize" section.
switch Connect-Info { ...
All that looks fine. Just move it to the "authorize" section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html