How to differentiate between vpn user and appliance user?
Alan DeKok
aland at deployingradius.com
Sun Jul 26 13:35:57 CEST 2015
On Jul 25, 2015, at 6:48 PM, D C <dc12078 at gmail.com> wrote:
> Thanks to radiusd -X, I found that my fortigate appliance sends an
> attribute in the request called "Connect-Info" which distinguishes if it's
> and vpn login or a admin login.
That's why we recommend reading the debug output. :)
> I can do something like this in post-auth which "works"..( ignore typos,
> i'm going off the top of my head here.)
> When the user is rejected, the behaviour i see is that I get one Login OK
> message, followed by two login failures. This is probably because I'm
> doing this in post-auth as I've read in other posts. I know if I do not
> allow the ldap group in my users file, I get a single failure with no
> repeat login attempts.
>
> My question is where can I apply this logic besides post-auth, so that I
> can handle it before I allow the login?
You can put it into the "authorize" section.
Generally, you want to reject "bad" users as early as possible. This means using the "authorize" section.
> switch Connect-Info {
...
All that looks fine. Just move it to the "authorize" section.
Alan DeKok.
More information about the Freeradius-Users
mailing list