99% of my config authenticates against ldap. There are certain situations (mainly authenticating our old phones) where I need to have mac auth as well. Both methods are authenticating fine. The problem is that I would like for freeradius to not search ldap when the "if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))" comes back as TRUE. As the config is now (output below), it runs the condition and regardless of the outcome it performs a search against ldap for the mac, which will always fail and causes unnecessary queries. How can I accomplish this? ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') -> FALSE expand: ^%{Calling-Station-ID}$ -> ^00-24-d6-a6-ce-ce$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE ++- entering if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop ++[chap] returns noop [ldap] performing user authorization for 00-24-d6-a6-ce-ce [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 00-24-d6-a6-ce-ce [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=00-24-d6-a6-ce-ce) [ldap] expand: o=kasd -> o=kasd [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap.company.com:389, authentication 0 [ldap] setting TLS CACert File to /etc/raddb/certs/CA.pem [ldap] starting TLS [ldap] bind as cn=radmin,o=org/<password> to ldpa.company.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=org, with filter (cn=00-24-d6-a6-ce-ce) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CSID +- entering group CSID {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) -> FALSE ++? if (Chap-Password) -> FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok Login OK: [00-24-d6-a6-ce-ce] (from client kasd port 0 cli 00-24-d6-a6-ce-ce) +- entering group post-auth {...} ++[ldap] returns noop ++[exec] returns noop ++? if (control:Auth-Type == 'CSID') ? Evaluating (control:Auth-Type == 'CSID') -> TRUE ++? if (control:Auth-Type == 'CSID') -> TRUE ++- entering if (control:Auth-Type == 'CSID') {...} [authorized_macs] expand: %{Calling-Station-ID} -> 00-24-d6-a6-ce-ce [authorized_macs] users: Matched entry 00-24-d6-a6-ce-ce at line 1 +++[authorized_macs.authorize] returns ok +++? if (!ok) ? Evaluating !(ok) -> FALSE +++? if (!ok) -> FALSE ++- if (control:Auth-Type == 'CSID') returns ok Sending Access-Accept of id 65 to 10.1.2.85 port 53168 Reply-Message = "MyLaptop" Service-Type := Call-Check Filter-Id = "Students" Finished request 0.
On 13/12/10 15:03, Rob Yamry wrote:
(output below), it runs the condition and regardless of the outcome it performs a search against ldap for the mac, which will always fail and causes unnecessary queries.
How can I accomplish this?
Use an "else": if (...) { } else { ldap }
Perfect, thanks. if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type := 'CSID' } } else{ ldap }
participants (2)
-
Phil Mayers -
Rob Yamry