How to differentiate between vpn user and appliance user?
Alan DeKok
aland at deployingradius.com
Mon Jul 27 13:07:31 CEST 2015
On Jul 26, 2015, at 3:01 PM, D C <dc12078 at gmail.com> wrote:
> Ah ok, I tried authenticate with no luck. Now I'm using authorize, but
> still having the same issue. It looks like the ldap module is authorizing
> the request, so even now I am still too late in the pipeline.
Most of the "ldap" lines are it doing the LDAP-Group checks.
> Here is my config with comments removed, and the output of radiusd -X from
> just "one" login attempt. I am expecting it to fail because my vpn user is
> not authorized for an admin login. However, I am getting 3x login
> attempts which i believe is because ldap bind authorized it.
You've changed the unlang rules you posted before. Why?
As an example, what do you expect this to do?
switch Connect-Info {
case "vpn-ssl" {
if ((LDAP-Group == "superAdmins-VPN") || (LDAP-Group == "readAdmins-VPN") || (LDAP-Group == "users-VPN")) {
update reply {
Reply-Message += "VPN access granted by LDAP group membership."
}
ok
}
else {
update reply {
Reply-Message += "VPN access denied by LDAP group membership."
}
ok
}
}
So... if the LDAP group *doesn't* match, you have it do "ok", instead of "reject". Why?
Alan DeKok.
More information about the Freeradius-Users
mailing list