How to differentiate between vpn user and appliance user?

D C dc12078 at gmail.com
Mon Jul 27 16:04:54 CEST 2015


Ahh ok, i see it now.  I've not tested the vpn yet, just the admin login.
I've been trying to figure out my 3x login attempts issue before moving
forward.
Your absolutely right, I've fixed that now.


Thanks,
Dan

On Mon, Jul 27, 2015 at 9:43 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 27, 2015, at 9:12 AM, D C <dc12078 at gmail.com> wrote:
> > I was trying to keep the vpn logic separate from everything else.
>
>   That idea isn't implemented in the policy you wrote.
>
> >  So first
> > I handle my firewall which sends the Connect-Info attribute.  If
> > Connect-Info is vpn-ssl, then it's a vpn login, and I want only members
> of
> > my vpn groups to be allowed.  Next I do the same logic for my admin
> logins.
>
>   That's nice, but you're missing my point.  The logic you posted does:
>
> a) allow "good" users to be accepted
>
>   it does NOT do:
>
> b) reject "bad" users
>
>   That's why "bad" users are being accepted.  They're seen as bad, and
> then you have it do "ok", instead of "reject".
>
> > As for the authorize issue I'm having, I'm leaning towards the problem
> > being on the firewall right now.   I swapped out my sites-enabled/default
> > for the original one before I made any changes,  and then just
> uncommented
> > the lamuser auth-type reject clause from the users file.  If I try to
> login
> > as lameuser, I still get 3x failed logins.
>
>   See what the debug output says.
>
>   The logic should be simple:
>
>         if (user is trying to do X and
>             LDAP group is not "users who are allowed to do X") {
>                 reject
>         }
>
>   That will allow "good" users to do X, and prevent "bad" users from doing
> X.
>
> >  I will take this up with the
> > firewall team and see if they have some kind of retry logic going on.
> >
> > Thank you Alan, you have been most helpful throughout this.
>
>   It's what I do.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list