Allowing Access via 'users' when LDAP fails
Amaru Netapshaak
postfix_amaru at yahoo.com
Fri Jan 29 22:27:26 CET 2010
________________________________
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Thu, January 28, 2010 1:00:47 AM
Subject: Re: Allowing Access via 'users' when LDAP fails
Amaru Netapshaak wrote:
> Right now, if a user
> isnt found in the LDAP database, a reject is returned to the switch and
> the port goes
> offline. What I'd rather have,is RADIUS reply with a standard response
> (if the LDAP
> auth fails).
See doc/configurable_failover for over-riding return codes.
> I tried to do this in the users file, by moving 'files' to below 'ldap'
> in sites-enabled/default
> and then creating a DEFAULT entry in users that returned the VLAN
> information I wanted,
> but then it didnt include other relevant info that the switch needs.
That won't work.
What you want is:
ldap
if (notfound) {
update reply {
... insert attributes here...
}
}
You don't need the "users" file.
Alan DeKok.
Alan,
Thanks for your reply, I consulted the failover document as you suggested, but it seems that I cannot turn a REJECT into an ACCEPT
that way, which is my problem. LDAP/EAP will reject an unauthorized user as it isnt found in LDAP, but I need FreeRADIUS to say "ACCEPT"
this user anyways, include the right EAP information, as would a Access-Accept message, and also include my VLAN attributes (done as you
described above)
Just cant seem to turn REJECT into ACCEPT. Any more tips?
Thanks!
AMARU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100129/727573bc/attachment.html>
More information about the Freeradius-Users
mailing list