First off I am totally new to radius...but really love the concept. I have radius working with ldap to authorize the user if they are in the corporate directory, o=lookout. My next step is to filter it by category to the NAS device. I have been looking at quite a few examples, but nothing seems to stick. In order for me to just grasp the concept, I have tried this in the users file, o=lookout is our complete list of all of our users DEFAULT Huntgroup-Name == CiscoAdmin, Ldap-Group == "o=lookout" Fall-Through = no DEFAULT Auth-Type := Reject If I comment out the Reject, the user is able to authenticate to the Cisco Router, as soon as uncomment it out, I get rejected...here is the log file from it. Thu Jun 4 16:15:52 2009 : Info: [ldap] user daverummel authorized to use remote access Thu Jun 4 16:15:52 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jun 4 16:15:52 2009 : Info: ++[ldap] returns ok Thu Jun 4 16:15:52 2009 : Info: ++[expiration] returns noop Thu Jun 4 16:15:52 2009 : Info: ++[logintime] returns noop Thu Jun 4 16:15:52 2009 : Info: Found Auth-Type = Reject Thu Jun 4 16:15:52 2009 : Info: Auth-Type = Reject, rejecting user Thu Jun 4 16:15:52 2009 : Info: Failed to authenticate the user. Thu Jun 4 16:15:52 2009 : Auth: Login incorrect: [daverummel] (from client R1 port 98 cli 216.103.190.220) Thu Jun 4 16:15:52 2009 : Info: Using Post-Auth-Type Reject Thu Jun 4 16:15:52 2009 : Info: +- entering group REJECT {...} Thu Jun 4 16:15:52 2009 : Info: [attr_filter.access_reject] expand: %{User-Name} -> daverummel Thu Jun 4 16:15:52 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Jun 4 16:15:52 2009 : Info: ++[attr_filter.access_reject] returns updated Thu Jun 4 16:15:52 2009 : Info: Delaying reject of request 0 for 1 seconds Thu Jun 4 16:15:52 2009 : Debug: Going to the next request Thu Jun 4 16:15:52 2009 : Debug: Waking up in 0.9 seconds. Thu Jun 4 16:15:53 2009 : Info: Sending delayed reject for request 0 The line I am really trying to understand is this one, where is this line 11 ? *Thu Jun 4 16:15:52 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 *Thanks for your help Dave
Dave Rummel wrote:
In order for me to just grasp the concept, I have tried this in the users file, o=lookout is our complete list of all of our users
DEFAULT Huntgroup-Name == CiscoAdmin, Ldap-Group == "o=lookout" Fall-Through = no
DEFAULT Auth-Type := Reject
If I comment out the Reject, the user is able to authenticate to the Cisco Router, as soon as uncomment it out, I get rejected...here is the log file from it.
Yes. Because the "users" file isn't the *only* source of configuration in the server. If you comment out the "Reject" line, the previous line does almost nothing. I would suggest using "unlang" to write the policies. It is a LOT more straightforward than the "users" file, and it is well integrated into the server.
The line I am really trying to understand is this one, where is this line 11 ?
*Thu Jun 4 16:15:52 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11
See the configuration for the "attr_filter" module. Alan DeKok.
participants (2)
-
Alan DeKok -
Dave Rummel