How to differentiate between vpn user and appliance user?
Alan DeKok
aland at deployingradius.com
Mon Jul 27 15:43:00 CEST 2015
On Jul 27, 2015, at 9:12 AM, D C <dc12078 at gmail.com> wrote:
> I was trying to keep the vpn logic separate from everything else.
That idea isn't implemented in the policy you wrote.
> So first
> I handle my firewall which sends the Connect-Info attribute. If
> Connect-Info is vpn-ssl, then it's a vpn login, and I want only members of
> my vpn groups to be allowed. Next I do the same logic for my admin logins.
That's nice, but you're missing my point. The logic you posted does:
a) allow "good" users to be accepted
it does NOT do:
b) reject "bad" users
That's why "bad" users are being accepted. They're seen as bad, and then you have it do "ok", instead of "reject".
> As for the authorize issue I'm having, I'm leaning towards the problem
> being on the firewall right now. I swapped out my sites-enabled/default
> for the original one before I made any changes, and then just uncommented
> the lamuser auth-type reject clause from the users file. If I try to login
> as lameuser, I still get 3x failed logins.
See what the debug output says.
The logic should be simple:
if (user is trying to do X and
LDAP group is not "users who are allowed to do X") {
reject
}
That will allow "good" users to do X, and prevent "bad" users from doing X.
> I will take this up with the
> firewall team and see if they have some kind of retry logic going on.
>
> Thank you Alan, you have been most helpful throughout this.
It's what I do.
Alan DeKok.
More information about the Freeradius-Users
mailing list