I was trying to keep the vpn logic separate from everything else. So first I handle my firewall which sends the Connect-Info attribute. If Connect-Info is vpn-ssl, then it's a vpn login, and I want only members of my vpn groups to be allowed. Next I do the same logic for my admin logins. The case (!Connect-Info) section handles the rest of my network devices, where I want all my admins to have access based on their profile. I was testing profiles with a superadmins-VPN user but didn't get that working, which is why i didn't attempt to add a profile to the others yet. For profiles I haven't got that working so far unless I specify it in the users file. I haven't don't any research on it yet, so I didn't bother asking about it here yet. As for the authorize issue I'm having, I'm leaning towards the problem being on the firewall right now. I swapped out my sites-enabled/default for the original one before I made any changes, and then just uncommented the lamuser auth-type reject clause from the users file. If I try to login as lameuser, I still get 3x failed logins. I will take this up with the firewall team and see if they have some kind of retry logic going on. Thank you Alan, you have been most helpful throughout this. On Mon, Jul 27, 2015 at 7:07 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 26, 2015, at 3:01 PM, D C <dc12078@gmail.com> wrote:
Ah ok, I tried authenticate with no luck. Now I'm using authorize, but still having the same issue. It looks like the ldap module is authorizing the request, so even now I am still too late in the pipeline.
Most of the "ldap" lines are it doing the LDAP-Group checks.
Here is my config with comments removed, and the output of radiusd -X from just "one" login attempt. I am expecting it to fail because my vpn user is not authorized for an admin login. However, I am getting 3x login attempts which i believe is because ldap bind authorized it.
You've changed the unlang rules you posted before. Why?
As an example, what do you expect this to do?
switch Connect-Info { case "vpn-ssl" { if ((LDAP-Group == "superAdmins-VPN") || (LDAP-Group == "readAdmins-VPN") || (LDAP-Group == "users-VPN")) { update reply { Reply-Message += "VPN access granted by LDAP group membership." } ok } else { update reply { Reply-Message += "VPN access denied by LDAP group membership." } ok } }
So... if the LDAP group *doesn't* match, you have it do "ok", instead of "reject". Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html