How to differentiate between vpn user and appliance user?

D C dc12078 at gmail.com
Sun Jul 26 21:01:36 CEST 2015


Ah ok,  I tried authenticate with no luck.  Now I'm using authorize, but
still having the same issue.  It looks like the ldap module is authorizing
the request, so even now I am still too late in the pipeline.

Here is my config with comments removed, and the output of radiusd -X from
just "one" login attempt.  I am expecting it to fail because my vpn user is
not authorized for an admin login.  However,  I am getting 3x login
attempts which i believe is because ldap bind authorized it.

http://pastebin.com/raw.php?i=UPt435VX
http://pastebin.com/raw.php?i=2atLPQxv

any thoughts?



Thanks,
Dan

On Sun, Jul 26, 2015 at 7:35 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 25, 2015, at 6:48 PM, D C <dc12078 at gmail.com> wrote:
> > Thanks to radiusd -X,  I found that my fortigate appliance sends an
> > attribute in the request called "Connect-Info"  which distinguishes if
> it's
> > and vpn login or a admin login.
>
>   That's why we recommend reading the debug output. :)
>
> > I can do something like this in post-auth which "works"..( ignore typos,
> > i'm going off the top of my head here.)
> > When the user is rejected,  the behaviour i see is that I get one Login
> OK
> > message, followed by two login failures.   This is probably because I'm
> > doing this in post-auth as I've read in other posts.  I know if I do not
> > allow the ldap group in my users file,  I get a single failure with no
> > repeat login attempts.
> >
> > My question is where can I apply this logic besides post-auth, so that I
> > can handle it before I allow the login?
>
>   You can put it into the "authorize" section.
>
>   Generally, you want to reject "bad" users as early as possible.  This
> means using the "authorize" section.
>
> > switch Connect-Info {
>   ...
>
>   All that looks fine.  Just move it to the "authorize" section.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list