Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

François Lacombe fl.infosreseaux at gmail.com
Thu Dec 17 00:34:33 CET 2015


2015-12-15 19:36 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
> On Dec 15, 2015, at 1:30 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
>> I'm not sure OpenSWAN and StrongSwan are the same software.
>
>   They're based on the same FreeSWAN code base.

Ok

>
>> As explained in the first lines of this article :
>> https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
>> Strongswan only redirects EAP packets to the radius. The EAP packets
>> come directly from users.
>
>   Please read the page again.  That's EAP.  It's NOT sending RADIUS packets from the end users to FreeRADIUS.
>
>   StrongSWAN is sending RADIUS packets to FreeRADIUS.  StrongSWAN is the RADIUS client.

Ok I wasn't making the right distinction.
Thank you for this information.

>> I've changed the filter and now the RADIUS only authorize users with
>> networkAccess corresponding to NAS-Port-Id. It's ok.
>> If not, LDAP isn't returning any result and Freeradius still go in the
>> authenticate section instead of rejecting directly the request in the
>> Authorize section. Is this correct ?
>
>   Yes.  LDAP is just a database.
>
>> In this particular case, Freeradius would better to reject the request
>> in the Authorize section, wouldn't it ?
>
>   Not for EAP.
>
>   And the server is NOT set up to automatically reject users who aren't found in the database.  *You* can configure that, but it's not the default.  This is because some people have users in multiple databases.  And they want the server to try them all, instead of just rejecting a user who isn't found in the first database.

Ok.
Obviously I won't ask to change things, I was only interested to know
if all was normal.

As you suggest it, how can I prevent freeradius to go in authenticate
section when LDAP return no user record ?


All the best


François L.



More information about the Freeradius-Users mailing list