question on users file

Jeffrey Wang jeffrey.wang at comdev.ca
Thu Mar 25 18:54:02 CET 2010 

Hi John,

I have to use file & LDAP lookup first to set the W-Class (which will identify the user class based on their user-membership).

For users who requires wireless access, I had this entry:
# Wireless/users
DEFAULT NAS-Port-Type == 19, W-Class == wireless-users, Auth-Type := PAP
        Service-Type = Framed-User,
	  ...

For non-wireless users, I will set one password:
# Non-wireless users
DEFAULT NAS-Port-Type == 19, user-password := "{md5}70e1e27d529f1e50097d642f9452
de18"
        Service-Type = Framed-User,
 	  ...

This works when wireless user is not in password nor LDAP. However, once cleartext-password set, user-password is ignored.

Jeff

-----Original Message-----
From: John Dennis [mailto:jdennis at redhat.com] 
Sent: Thursday, March 25, 2010 1:36 PM
To: FreeRadius users mailing list
Cc: Jeffrey Wang
Subject: Re: question on users file

On 03/25/2010 12:31 PM, Jeffrey Wang wrote:
> I am using freeradius server against my ldap server for regular user
> access and eap. I need the wireless user treated differently. So I
> created a entry in users file and would like to set user-password for
> these users in encrypted form. For the users that are not in ldap, they
> worked fine. However, the users are in the ldap, had been updated with
> cleartext-password and radius ignores my user-password and uses
> cleartext-password from ldap.
>
> Can I delete the configuration items (cleartext-password) I set in
> previous process, such as ldap or password file?

We have no clue what you did in a previous process nor what version of 
FreeRADIUS you're using.

You could do one of several things:

Move the users file processing above the ldap in the authorize section 
your config file so the user in found in the users file first.

Put those special users in an ldap group and do not return authorize 
information if they are members of that group.

Remove the password attribute for those users from your ldap directory, 
rlm_ldap can't return what it can't find.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list