Simple attribute question!
Franks Andy (RLZ) IT Systems Engineer
Andy.Franks at sath.nhs.uk
Wed Aug 29 21:45:35 CEST 2012
Hi
I have a seemingly simple thing I need to do, however it doesn't
seem to be working. In the users file I do a quick match to see if a
user is in the regex list I put in (this is for overrides of an ldap
group, determining higher privileges, but still basic access for the
group users), and then another regex checking against a certain ip range
:
DEFAULT User-Name =~ "frankdsa|everdstons|kirddksa|kefls",
NAS-IP-Address=~"192.168.104.*"
Reply-Message += "Welcome %{User-Name}\n",
Reply-Message += "Admin access",
Cisco-AVPair := "shell:priv-lvl=15"
This adds a couple of reply messages when the user logs in. Of course
the users file is pre-auth so it doesn't care if the ultimate request
gets rejected or not based on authorization or some other check.
Therefore I've added this to the post-auth-type reject section of the
default virtual server:
Post-Auth-Type REJECT {
update reply {
Reply-Message := "Authentication failed}"
}
It may be wiser to return nothing, i.e. Reply-Message := "" for security
reasons, but the point is that the reply-messages set in the users file
still pass through, so I get
Welcome (username)
Admin Access
Authentication Failed
All together. Am I doing something wrong? I also tried Reply-Message !*
, but this stopped the service firing up ( version 2.10 - I see this was
talked about being fixed in 2.8?), or
Reply-Message -= "%{reply:Reply-Message}"
Which didn't work either.
Any ideas?
Thanks
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120829/25e83fa3/attachment.html>
More information about the Freeradius-Users
mailing list