Stop after mac auth

Mon Dec 13 16:03:34 CET 2010

99% of my config authenticates against ldap. There are certain situations
(mainly authenticating our old phones) where I need to have mac auth as
well.  Both methods are authenticating fine.  The problem is that I would
like for freeradius to not search ldap when the "if ((Service-Type ==
'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))" comes back as
TRUE.  As the config is now (output below), it runs the condition and
regardless of the outcome it performs a search against ldap for the mac,
which will always fail and causes unnecessary queries.

How can I accomplish this?

++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++? if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> FALSE
        expand: ^%{Calling-Station-ID}$ -> ^00-24-d6-a6-ce-ce$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE
++? if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) -> TRUE
++- entering if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
++[chap] returns noop
[ldap] performing user authorization for 00-24-d6-a6-ce-ce
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> 00-24-d6-a6-ce-ce
[ldap]  expand: (cn=%{Stripped-User-Name:-%{User-Name}}) ->
(cn=00-24-d6-a6-ce-ce)
[ldap]  expand: o=kasd -> o=kasd
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.company.com:389, authentication 0
  [ldap] setting TLS CACert File to /etc/raddb/certs/CA.pem
  [ldap] starting TLS
  [ldap] bind as cn=radmin,o=org/<password> to ldpa.company.com:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in o=org, with filter (cn=00-24-d6-a6-ce-ce)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CSID
+- entering group CSID {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) -> FALSE
++? if (Chap-Password) -> FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
Login OK: [00-24-d6-a6-ce-ce] (from client kasd port 0 cli
00-24-d6-a6-ce-ce)
+- entering group post-auth {...}
++[ldap] returns noop
++[exec] returns noop
++? if (control:Auth-Type == 'CSID')
? Evaluating (control:Auth-Type == 'CSID') -> TRUE
++? if (control:Auth-Type == 'CSID') -> TRUE
++- entering if (control:Auth-Type == 'CSID') {...}
[authorized_macs]       expand: %{Calling-Station-ID} -> 00-24-d6-a6-ce-ce
[authorized_macs] users: Matched entry 00-24-d6-a6-ce-ce at line 1
+++[authorized_macs.authorize] returns ok
+++? if (!ok)
? Evaluating !(ok) -> FALSE
+++? if (!ok) -> FALSE
++- if (control:Auth-Type == 'CSID') returns ok
Sending Access-Accept of id 65 to 10.1.2.85 port 53168
        Reply-Message = "MyLaptop"
        Service-Type := Call-Check
        Filter-Id = "Students"
Finished request 0.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101213/ca50daac/attachment.html>