How to differentiate between vpn user and appliance user?

Alan DeKok aland at deployingradius.com
Mon Jul 27 15:43:00 CEST 2015


On Jul 27, 2015, at 9:12 AM, D C <dc12078 at gmail.com> wrote:
> I was trying to keep the vpn logic separate from everything else.

  That idea isn't implemented in the policy you wrote.

>  So first
> I handle my firewall which sends the Connect-Info attribute.  If
> Connect-Info is vpn-ssl, then it's a vpn login, and I want only members of
> my vpn groups to be allowed.  Next I do the same logic for my admin logins.

  That's nice, but you're missing my point.  The logic you posted does:

a) allow "good" users to be accepted

  it does NOT do:

b) reject "bad" users

  That's why "bad" users are being accepted.  They're seen as bad, and then you have it do "ok", instead of "reject".

> As for the authorize issue I'm having, I'm leaning towards the problem
> being on the firewall right now.   I swapped out my sites-enabled/default
> for the original one before I made any changes,  and then just uncommented
> the lamuser auth-type reject clause from the users file.  If I try to login
> as lameuser, I still get 3x failed logins.

  See what the debug output says.

  The logic should be simple:

	if (user is trying to do X and
	    LDAP group is not "users who are allowed to do X") {
		reject
	}

  That will allow "good" users to do X, and prevent "bad" users from doing X.

>  I will take this up with the
> firewall team and see if they have some kind of retry logic going on.
> 
> Thank you Alan, you have been most helpful throughout this.

  It's what I do.

  Alan DeKok.




More information about the Freeradius-Users mailing list