Hello, At first, Thanks in advance for your valuable time! I want to block our Guest users to use our VPN and i wrote following under / sites-enable/default. *ldap* * if (Ldap-Group [*] == "Gast") { update control { AUth-Type = reject } }* and under /freeradius/users *DEFAULT Ldap-Group == "Gast", Auth-Type := Reject Fall-Through = yes* when i compile it then shows the following output. ________________________________________________________________ root@xx:~# freeradius -X FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/ldap including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/detail including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/debug including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/default /etc/freeradius/3.0/sites-enabled/default[426]: *Parse error in condition* /etc/freeradius/3.0/sites-enabled/default[426]: (*Ldap-Group [*] == "Gast") {* /etc/freeradius/3.0/sites-enabled/default[426]: *^ Invalid text. Expected comparison operator* *Errors reading or parsing /etc/freeradius/3.0/radiusd.conf* Any suggestion please? Have a nice day! Regards!
On Sep 22, 2021, at 3:06 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
I want to block our Guest users to use our VPN and i wrote following under / sites-enable/default.
*ldap*
* if (Ldap-Group [*] == "Gast") { update control { AUth-Type = reject } }*
Why add the [*] ? All of the documentation and examples say to just use what you did here:
and under /freeradius/users
*DEFAULT Ldap-Group == "Gast", Auth-Type := Reject Fall-Through = yes*
There's no [*] here, which is correct. Alan DeKok.
Hello Alan, Thanks for your time. Another question, although after those two changes [mentioned above], the server is still allowing the GUEST users to login.What i am doing wrong? Any help will be thankfully appreciated. Have a nice day! __________________________________________________________________________________________________________________ (0) Received Access-Request Id 164 from 127.0.0.1:56127 to 127.0.1.1:1812 length 76 (0) User-Name = "riedel" (0) User-Password = "testtest1A" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 1812 (0) Message-Authenticator = 0xf39ecbe7fd56fcc239189fe5e548c9cc (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "riedel", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop *(0) files: Searching for user in group "Gast"* rlm_ldap (ldap): Reserved connection (0) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=riedel) (0) files: Performing search in "ou=people,dc=fr" with filter "(uid=riedel)", scope "sub" (0) files: Waiting for search result... (0) files: User object found at DN "uid=riedel,ou=people,dc=uni-potsdam,dc=de" (0) files: Checking user object's memberOf attributes (0) files: Performing unfiltered search in "uid=riedel,ou=people,dc=fr", scope "base" (0) files: Waiting for search result... (0) files: Search returned no results (0) files: Can't check membership attributes, user object not found rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) files: User is not a member of "Gast" (0) [files] = noop rlm_ldap (ldap): Reserved connection (1) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=riedel) (0) ldap: Performing search in "ou=people,dc=fr" with filter "(uid=riedel)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "uid=riedel,ou=people,dc=fr" (0) ldap: Processing user attributes (0) ldap: control:NT-Password := 0x3937316136326634626234393063623639653936363163616333356132323734 rlm_ldap (ldap): Released connection (1) (0) [ldap] = updated (0) if (Ldap-Group == "Gast") { (0) Searching for user in group "Gast" rlm_ldap (ldap): Reserved connection (2) (0) Using user DN from request "uid=riedel,ou=people,dc=fr" (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=riedel,ou=people,dc=fr", scope "base" (0) Waiting for search result... (0) Search returned no results (0) Can't check membership attributes, user object not found rlm_ldap (ldap): Released connection (2) (0) User is not a member of "Gast" (0) if (Ldap-Group == "Gast") -> FALSE (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" NT-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop *(0) Sent Access-Accept Id 164 from 127.0.1.1:1812 <http://127.0.1.1:1812> to 127.0.0.1:56127 <http://127.0.0.1:56127> length 0* (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 164 with timestamp +5 On Wed, Sep 22, 2021 at 2:49 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 22, 2021, at 3:06 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
I want to block our Guest users to use our VPN and i wrote following under / sites-enable/default.
*ldap*
* if (Ldap-Group [*] == "Gast") { update control { AUth-Type = reject } }*
Why add the [*] ?
All of the documentation and examples say to just use what you did here:
and under /freeradius/users
*DEFAULT Ldap-Group == "Gast", Auth-Type := Reject Fall-Through = yes*
There's no [*] here, which is correct.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 22, 2021, at 9:19 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
Another question, although after those two changes [mentioned above], the server is still allowing the GUEST users to login.What i am doing wrong?
Read the debug output, and see if it's doing what you want.
(0) if (Ldap-Group == "Gast") -> FALSE
That seems relevant. Alan DeKok.
Hello, yes,that's the problem.Although its a guest user,it shows following: _______________________________________________________________ 0) *User is not a member of "Gast" [ALthough user is a guest]* (0) if (Ldap-Group == "Gast") -> FALSE (0) [expiration] = noop (0) [logintime] = noop ________________________________________________________________ THanks On Wed, Sep 22, 2021 at 3:22 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 22, 2021, at 9:19 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
Another question, although after those two changes [mentioned above], the server is still allowing the GUEST users to login.What i am doing wrong?
Read the debug output, and see if it's doing what you want.
(0) if (Ldap-Group == "Gast") -> FALSE
That seems relevant.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Except it doesn't look like it is a guest user?
(0) if (Ldap-Group == "Gast") {
(0) Searching for user in group "Gast"
rlm_ldap (ldap): Reserved connection (2)
(0) Using user DN from request "uid=riedel,ou=people,dc=fr"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=riedel,ou=people,dc=fr",
scope "base"
(0) Waiting for search result...
(0) Search returned no results
(0) Can't check membership attributes, user object not found
rlm_ldap (ldap): Released connection (2)
(0) User is not a member of "Gast"
Check the rlm_ldap docs ?
Jonathan Davis - Priority Colo Inc.
jonathan@prioritycolo.com - https://www.prioritycolo.com
1-888-AS-30176 (1-888-273-0176) x304
On 2021-09-22 9:26 a.m., Sazzad Hossain wrote:
> Hello,
>
> yes,that's the problem.Although its a guest user,it shows following:
>
> _______________________________________________________________
>
> 0) *User is not a member of "Gast" [ALthough user is a guest]*
> (0) if (Ldap-Group == "Gast") -> FALSE
> (0) [expiration] = noop
> (0) [logintime] = noop
>
> ________________________________________________________________
>
> THanks
>
> On Wed, Sep 22, 2021 at 3:22 PM Alan DeKok <aland@deployingradius.com>
> wrote:
>
>> On Sep 22, 2021, at 9:19 AM, Sazzad Hossain <sazzad.suzon89@gmail.com>
>> wrote:
>>> Another question, although after those two changes [mentioned above], the
>>> server is still allowing the GUEST users to login.What i am doing wrong?
>> Read the debug output, and see if it's doing what you want.
>>
>>
>>> (0) if (Ldap-Group == "Gast") -> FALSE
>> That seems relevant.
>>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
i have found my mistake and change it [@ sites-enables/default] but now it
shows this failure output. Any idea?
Regards
_____________________________________________________________________________________________________________________________________________________________________________
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
/etc/freeradius/3.0/mods-config/files/authorize[96]: *Entry does not begin
with a user name*
*Failed reading /etc/freeradius/3.0/mods-config/files/authorize*
/etc/freeradius/3.0/mods-enabled/files[9]: *Instantiation failed for module
"files"*
On Wed, Sep 22, 2021 at 3:30 PM Jonathan Davis <jonathan@prioritycolo.com>
wrote:
> Except it doesn't look like it is a guest user?
>
> (0) if (Ldap-Group == "Gast") {
> (0) Searching for user in group "Gast"
> rlm_ldap (ldap): Reserved connection (2)
> (0) Using user DN from request "uid=riedel,ou=people,dc=fr"
> (0) Checking user object's memberOf attributes
> (0) Performing unfiltered search in "uid=riedel,ou=people,dc=fr",
> scope "base"
> (0) Waiting for search result...
> (0) Search returned no results
> (0) Can't check membership attributes, user object not found
> rlm_ldap (ldap): Released connection (2)
> (0) User is not a member of "Gast"
>
> Check the rlm_ldap docs ?
>
> Jonathan Davis - Priority Colo Inc.
> jonathan@prioritycolo.com - https://www.prioritycolo.com
> 1-888-AS-30176 (1-888-273-0176) x304
>
> On 2021-09-22 9:26 a.m., Sazzad Hossain wrote:
> > Hello,
> >
> > yes,that's the problem.Although its a guest user,it shows following:
> >
> > _______________________________________________________________
> >
> > 0) *User is not a member of "Gast" [ALthough user is a guest]*
> > (0) if (Ldap-Group == "Gast") -> FALSE
> > (0) [expiration] = noop
> > (0) [logintime] = noop
> >
> > ________________________________________________________________
> >
> > THanks
> >
> > On Wed, Sep 22, 2021 at 3:22 PM Alan DeKok <aland@deployingradius.com>
> > wrote:
> >
> >> On Sep 22, 2021, at 9:19 AM, Sazzad Hossain <sazzad.suzon89@gmail.com>
> >> wrote:
> >>> Another question, although after those two changes [mentioned above],
> the
> >>> server is still allowing the GUEST users to login.What i am doing
> wrong?
> >> Read the debug output, and see if it's doing what you want.
> >>
> >>
> >>> (0) if (Ldap-Group == "Gast") -> FALSE
> >> That seems relevant.
> >>
> >> Alan DeKok.
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
On Sep 22, 2021, at 11:08 AM, Sazzad Hossain <sazzad.suzon89@gmail.com> wrote:
i have found my mistake and change it [@ sites-enables/default] but now it shows this failure output. Any idea? ... reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize /etc/freeradius/3.0/mods-config/files/authorize[96]: *Entry does not begin with a user name* *Failed reading /etc/freeradius/3.0/mods-config/files/authorize* /etc/freeradius/3.0/mods-enabled/files[9]: *Instantiation failed for module "files"*
You edited the configuration files and broke the server. Don't do that. Follow the examples and the documentation. The format of that file is extensively documented. And I never understand the point of asking a question, but not saying what you did. WHAT change did you make? What is on line 9 of that file? We don't know, and you're refusing to tell us. Please learn to ask good questions. Please also follow the documentation and examples. If you're making simple mistakes, it's always best to read the docs. When you post many questions a day, each of which contains simple syntax errors, it makes it difficult for us to help you. All of the replies you get will be "read the docs". Alan DeKok.
Looks like user isn't a member of GAST, then it pulls an NT-Password which matches what's supplied, so auth OK using PAP.
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" NT-Password
(0) pap: User authenticated successfully
Jonathan Davis - Priority Colo Inc.
jonathan@prioritycolo.com - https://www.prioritycolo.com
1-888-AS-30176 (1-888-273-0176) x304
On 2021-09-22 9:19 a.m., Sazzad Hossain wrote:
> Hello Alan,
>
> Thanks for your time.
>
> Another question, although after those two changes [mentioned above], the
> server is still allowing the GUEST users to login.What i am doing wrong?
> Any help will be thankfully appreciated.
>
> Have a nice day!
>
>
> __________________________________________________________________________________________________________________
>
> (0) Received Access-Request Id 164 from 127.0.0.1:56127 to 127.0.1.1:1812
> length 76
> (0) User-Name = "riedel"
> (0) User-Password = "testtest1A"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 1812
> (0) Message-Authenticator = 0xf39ecbe7fd56fcc239189fe5e548c9cc
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "riedel", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> *(0) files: Searching for user in group "Gast"*
> rlm_ldap (ldap): Reserved connection (0)
> (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) files: --> (uid=riedel)
> (0) files: Performing search in "ou=people,dc=fr" with filter
> "(uid=riedel)", scope "sub"
> (0) files: Waiting for search result...
> (0) files: User object found at DN
> "uid=riedel,ou=people,dc=uni-potsdam,dc=de"
> (0) files: Checking user object's memberOf attributes
> (0) files: Performing unfiltered search in "uid=riedel,ou=people,dc=fr",
> scope "base"
> (0) files: Waiting for search result...
> (0) files: Search returned no results
> (0) files: Can't check membership attributes, user object not found
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://10.9.25.56:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) files: User is not a member of "Gast"
> (0) [files] = noop
> rlm_ldap (ldap): Reserved connection (1)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (uid=riedel)
> (0) ldap: Performing search in "ou=people,dc=fr" with filter
> "(uid=riedel)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN "uid=riedel,ou=people,dc=fr"
> (0) ldap: Processing user attributes
> (0) ldap: control:NT-Password :=
> 0x3937316136326634626234393063623639653936363163616333356132323734
> rlm_ldap (ldap): Released connection (1)
> (0) [ldap] = updated
> (0) if (Ldap-Group == "Gast") {
> (0) Searching for user in group "Gast"
> rlm_ldap (ldap): Reserved connection (2)
> (0) Using user DN from request "uid=riedel,ou=people,dc=fr"
> (0) Checking user object's memberOf attributes
> (0) Performing unfiltered search in "uid=riedel,ou=people,dc=fr",
> scope "base"
> (0) Waiting for search result...
> (0) Search returned no results
> (0) Can't check membership attributes, user object not found
> rlm_ldap (ldap): Released connection (2)
> (0) User is not a member of "Gast"
> (0) if (Ldap-Group == "Gast") -> FALSE
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
> (0) [pap] = updated
> (0) } # authorize = updated
> (0) Found Auth-Type = PAP
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Auth-Type PAP {
> (0) pap: Login attempt with password
> (0) pap: Comparing with "known-good" NT-Password
> (0) pap: User authenticated successfully
> (0) [pap] = ok
> (0) } # Auth-Type PAP = ok
> (0) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) post-auth {
> (0) if (session-state:User-Name && reply:User-Name && request:User-Name
> && (reply:User-Name == request:User-Name)) {
> (0) if (session-state:User-Name && reply:User-Name && request:User-Name
> && (reply:User-Name == request:User-Name)) -> FALSE
> (0) update {
> (0) No attributes updated for RHS &session-state:
> (0) } # update = noop
> (0) [exec] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # post-auth = noop
> *(0) Sent Access-Accept Id 164 from 127.0.1.1:1812 <http://127.0.1.1:1812>
> to 127.0.0.1:56127 <http://127.0.0.1:56127> length 0*
> (0) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 164 with timestamp +5
>
>
>
>
>
>
> On Wed, Sep 22, 2021 at 2:49 PM Alan DeKok <aland@deployingradius.com>
> wrote:
>
>> On Sep 22, 2021, at 3:06 AM, Sazzad Hossain <sazzad.suzon89@gmail.com>
>> wrote:
>>> I want to block our Guest users to use our VPN and i wrote following
>> under /
>>> sites-enable/default.
>>>
>>> *ldap*
>>>
>>> * if (Ldap-Group [*] == "Gast") { update control {
>>> AUth-Type = reject } }*
>> Why add the [*] ?
>>
>> All of the documentation and examples say to just use what you did here:
>>
>>> and under /freeradius/users
>>>
>>>
>>> *DEFAULT Ldap-Group == "Gast", Auth-Type := Reject Fall-Through =
>>> yes*
>> There's no [*] here, which is correct.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Jonathan Davis -
Sazzad Hossain