Allowing Access via 'users' when LDAP fails
Fajar A. Nugraha
fajar at fajar.net
Tue Feb 2 03:27:57 CET 2010
On Mon, Feb 1, 2010 at 10:50 PM, Amaru Netapshaak
<postfix_amaru at yahoo.com> wrote:
> Anyway, if you still need "accept all", Alan's example should work.
> Put something like this on authorize section
>
> ldap
> if (notfound) {
> update control {
> Auth-Type = Accept
> }
> update reply {
> Tunnel-Private-Group-ID = 10
> }
> }
>
> that way if the user is NOT in ldap, it will simply return
> Access-Accept with attribute Tunnel-Private-Group-ID = 10 (you can add
> other required reply attributes there as well).
> I tried your suggestion, still returns REJECT.
Where did you put it? Perhaps you put it in the wrong section? I
tested it with radtest, and it works (returns Accept).
But if you're testing it with actual EAP clients it needs to be in
authorize section of sites-enabled/inner-tunnel.
Also, running radius in debug mode might help. It'll help identify
whether the ldap module actually returns notfound during authorize, or
returns something else.
--
Fajar
More information about the Freeradius-Users
mailing list