[EXT] Re: Authorize access by MAC Address

Brian Julin BJulin at clarku.edu
Sat Oct 26 07:06:47 CEST 2019

Shooting from the hip here,

Mike DiBella <mike at dibella.net> wrote:

> I seem to be misunderstanding how authentication and authorization works under FreeRadius.
> I can see the in logs that the bind is successful and that the search does not return any object
> matching the filter criteria, as expected.   However, an access-accept is still returned to the test client.

> I am expecting that unix type will only be used for authentication, and that authorization depends
> on the ldap search being successful

Normally ldap is used to look up an attribute or group membership and based on it's value
reject or accept.  If a user is not found when you call one module then other modules
are checked in a failover fashion.  The log shows that the pap module gets the request
and authorizes it.

Shooting from the hip here so I may be wrong, but try changing "ldap" in authorize to: 

ldap { 
  notfound = reject

> If I comment out unix from the authorize section of the default site, then access-reject
> is returned even when the password is valid and the search is successful.

The authorize section is special, it is not considered a failover group at the top level.
Any module called at the top level only sets the Autz-Type to decide which subsection
to run.

It could use some gloss, but https://wiki.freeradius.org/config/Fail-over explains this.

More information about the Freeradius-Users mailing list