using AND logic instead of OR logic with authorization?

Michael Hare michael.hare at doit.wisc.edu
Wed Aug 31 21:04:54 CEST 2005 

Hello-

I'd like to authorize users based on their Calling-Station-Id via a 
local users file and authenticate/authorize (simple access allowed flag) 
via an ldap server.  The reason I need to double authorize is because I 
do not have rights to add/edit any data in the remote ldap server.  I 
need the authorization to essentially be an "AND" (ie, I need both 
authorizations to return true in order to accept the user).  Is this 
possible?

I've tried doing this within a single radius instance, and I've also 
tried having the ldap interaction happen via a radius proxy without 
success.  Here is my users file

DEFAULT Calling-Station-Id =~ "^144\.92\."
        Service-Type = NAS-Prompt-User

Here is what a debug looks like

rad_recv: Access-Request packet from host 144.92.44.114:4447, id=30, 
length=123
         User-Name = "mdhare"
         User-Password = "mypass"
         NAS-Port = 2905
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Called-Station-Id = "144.92.44.114"
         Calling-Station-Id = "128.104.19.106"
         Tunnel-Client-Endpoint:0 = "128.104.19.106"
         NAS-IP-Address = 144.92.44.114
         NAS-Port-Type = Virtual
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "attr_filter" returns noop for request 0
     rlm_realm: No '@' in User-Name = "mdhare", looking up realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "mdhare"
     rlm_realm: Proxying request from user mdhare to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Preparing to proxy authentication request to realm "NULL"
   modcall[authorize]: module "suffix" returns updated for request 0
   modcall[authorize]: module "files" returns notfound for request 0

it as at this point I'd like authorization to stop, but it continues. 
What am I doing wrong?

modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 144.92.254.243:1812
...
...
rad_recv: Access-Accept packet from host 144.92.254.243:1812, id=0, 
length=30
         Service-Type = NAS-Prompt-User
         Proxy-State = 0x3330


I'd be happy to provide configuration and output that I have now for 
testing, but there's no sense in being verbose if this isn't possible in 
general.

Thanks-
-Michael


-- 
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk:      608-262-5236
24 Hr Noc: 608-263-4188

More information about the Freeradius-Users mailing list