Allowing Access via 'users' when LDAP fails

Fajar A. Nugraha fajar at
Tue Feb 2 03:27:57 CET 2010

On Mon, Feb 1, 2010 at 10:50 PM, Amaru Netapshaak
<postfix_amaru at> wrote:
> Anyway, if you still need "accept all", Alan's example should work.
> Put something like this on authorize section
>         ldap
>         if (notfound) {
>                 update control {
>                         Auth-Type = Accept
>                 }
>                 update reply {
>                         Tunnel-Private-Group-ID = 10
>                 }
>         }
> that way if the user is NOT in ldap, it will simply return
> Access-Accept with attribute Tunnel-Private-Group-ID = 10 (you can add
> other required reply attributes there as well).

> I tried your suggestion, still returns REJECT.

Where did you put it? Perhaps you put it in the wrong section? I
tested it with radtest, and it works (returns Accept).
But if you're testing it with actual EAP clients it needs to be in
authorize section of sites-enabled/inner-tunnel.

Also, running radius in debug mode might help. It'll help identify
whether the ldap module actually returns notfound during authorize, or
returns something else.


More information about the Freeradius-Users mailing list