Checking ldap-group in post-auth instead of users file ?
Fred MAISON
fred.maison at gmail.com
Tue Jun 1 12:41:38 CEST 2010
Hello all,
I encounter difficulties to check for a radiusgroupname via LDAP by not
using file /etc/raddb/users, as this seems to be difficult to avoid ldap
checks for anonymous identities if default config is modified.
I must service eap-peap and eap-ttls with mschapv2.
How can i make checks on ldap radiusgroupnale without using the user
file ?
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( "%{control:Ldap-Group}" == "wireless" ) {
noop
} else {
reject
}
I trie to replace this in users :
# for proxy.conf to work :
DEFAULT Realm == "myreal.com"
reply-Message += "real is %{Realm}"
DEFAULT Auth-Type == EAP, EAP-Type == Cisco-LEAP, Ldap-Group == wireless
reply-Message = "Cisco-LEAP match in users : EAP-Type%{EAP-Type}"
DEFAULT Auth-Type == EAP, EAP-Type == Generic-Token-Card, Ldap-Group ==
wireless
reply-Message = "match in users : EAP-Type:%{EAP-Type}"
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Ldap-Group == wireless
reply-Message += "in %{Virtual-Server}, proxy %{FreeRADIUS-proxied-To},
EAP-Type:%{EAP-Type}"
DEFAULT Auth-Type == EAP
reply-Message += "in users : EAP-Type:%{EAP-Type}"
DEFAULT Auth-Type := Reject
Reply-Message += "Please call the helpdesk."
More information about the Freeradius-Users
mailing list