separating Users?

tnt at kalik.net tnt at kalik.net
Tue Dec 1 00:12:36 CET 2009


> On 11/30/2009 05:07 PM, freeradius at corwyn.net wrote:
>> At 03:27 PM 11/30/2009, David Mitchell wrote:
>>> 1) Don't specify the Auth-Type. You still want to check the password I
>>> assume. I think your config will let in any user who is in group
>>> "Group1" irrespective of the supplied password.
>>
>> Sigh. Here I was all excited that I had everything working, and was
>> merrily working on my docs and making them into a HOWTO. And you're
>> right on target. Correct user ID any password permits access.
>>
>> So here's my users file once I take that out:
>> DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group ==
>> "Infrastructure"
>> Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
>> DEFAULT Auth-Type = ntlm_auth
>>
>> And now it doesn't work.
>> "Authentication failed".
>>
>> If I switch the order I get:
>> "Authorization failed"
>
> You need to set fall-through so that you still do per user processing.
> This is documented in the raddb/users file and you should also read
> doc/processing_users_file

Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.

Ivan Kalik

Ivan Kalik




More information about the Freeradius-Users mailing list