How to differentiate between vpn user and appliance user?
D C
dc12078 at gmail.com
Sun Jul 26 21:01:36 CEST 2015
Ah ok, I tried authenticate with no luck. Now I'm using authorize, but
still having the same issue. It looks like the ldap module is authorizing
the request, so even now I am still too late in the pipeline.
Here is my config with comments removed, and the output of radiusd -X from
just "one" login attempt. I am expecting it to fail because my vpn user is
not authorized for an admin login. However, I am getting 3x login
attempts which i believe is because ldap bind authorized it.
http://pastebin.com/raw.php?i=UPt435VX
http://pastebin.com/raw.php?i=2atLPQxv
any thoughts?
Thanks,
Dan
On Sun, Jul 26, 2015 at 7:35 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Jul 25, 2015, at 6:48 PM, D C <dc12078 at gmail.com> wrote:
> > Thanks to radiusd -X, I found that my fortigate appliance sends an
> > attribute in the request called "Connect-Info" which distinguishes if
> it's
> > and vpn login or a admin login.
>
> That's why we recommend reading the debug output. :)
>
> > I can do something like this in post-auth which "works"..( ignore typos,
> > i'm going off the top of my head here.)
> > When the user is rejected, the behaviour i see is that I get one Login
> OK
> > message, followed by two login failures. This is probably because I'm
> > doing this in post-auth as I've read in other posts. I know if I do not
> > allow the ldap group in my users file, I get a single failure with no
> > repeat login attempts.
> >
> > My question is where can I apply this logic besides post-auth, so that I
> > can handle it before I allow the login?
>
> You can put it into the "authorize" section.
>
> Generally, you want to reject "bad" users as early as possible. This
> means using the "authorize" section.
>
> > switch Connect-Info {
> ...
>
> All that looks fine. Just move it to the "authorize" section.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list