How to differentiate between vpn user and appliance user?

D C dc12078 at gmail.com
Mon Jul 27 15:12:20 CEST 2015


I was trying to keep the vpn logic separate from everything else.  So first
I handle my firewall which sends the Connect-Info attribute.  If
Connect-Info is vpn-ssl, then it's a vpn login, and I want only members of
my vpn groups to be allowed.  Next I do the same logic for my admin logins.

The case (!Connect-Info) section handles the rest of my network devices,
where I want all my admins to have access based on their profile.  I was
testing profiles with a superadmins-VPN user but didn't get that working,
which is why i didn't attempt to add a profile to the others yet.


For profiles I haven't got that working so far unless I specify it in the
users file.  I haven't don't any research on it yet, so I didn't bother
asking about it here yet.

As for the authorize issue I'm having, I'm leaning towards the problem
being on the firewall right now.   I swapped out my sites-enabled/default
for the original one before I made any changes,  and then just uncommented
the lamuser auth-type reject clause from the users file.  If I try to login
as lameuser, I still get 3x failed logins.  I will take this up with the
firewall team and see if they have some kind of retry logic going on.

Thank you Alan, you have been most helpful throughout this.




On Mon, Jul 27, 2015 at 7:07 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 26, 2015, at 3:01 PM, D C <dc12078 at gmail.com> wrote:
> > Ah ok,  I tried authenticate with no luck.  Now I'm using authorize, but
> > still having the same issue.  It looks like the ldap module is
> authorizing
> > the request, so even now I am still too late in the pipeline.
>
>   Most of the "ldap" lines are it doing the LDAP-Group checks.
>
> > Here is my config with comments removed, and the output of radiusd -X
> from
> > just "one" login attempt.  I am expecting it to fail because my vpn user
> is
> > not authorized for an admin login.  However,  I am getting 3x login
> > attempts which i believe is because ldap bind authorized it.
>
>   You've changed the unlang rules you posted before.  Why?
>
>   As an example, what do you expect this to do?
>
>   switch Connect-Info {
>     case "vpn-ssl" {
>       if ((LDAP-Group == "superAdmins-VPN") || (LDAP-Group ==
> "readAdmins-VPN") || (LDAP-Group == "users-VPN")) {
>         update reply {
>           Reply-Message += "VPN access granted by LDAP group membership."
>         }
>         ok
>       }
>       else {
>         update reply {
>           Reply-Message += "VPN access denied by LDAP group membership."
>         }
>         ok
>       }
>     }
>
>   So... if the LDAP group *doesn't* match, you have it do "ok", instead of
> "reject".  Why?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list