[EXT] Re: Authorize access by MAC Address
Brian Julin
BJulin at clarku.edu
Sat Oct 26 07:06:47 CEST 2019
Shooting from the hip here,
Mike DiBella <mike at dibella.net> wrote:
> I seem to be misunderstanding how authentication and authorization works under FreeRadius.
...
> I can see the in logs that the bind is successful and that the search does not return any object
> matching the filter criteria, as expected. However, an access-accept is still returned to the test client.
> I am expecting that unix type will only be used for authentication, and that authorization depends
> on the ldap search being successful
Normally ldap is used to look up an attribute or group membership and based on it's value
reject or accept. If a user is not found when you call one module then other modules
are checked in a failover fashion. The log shows that the pap module gets the request
and authorizes it.
Shooting from the hip here so I may be wrong, but try changing "ldap" in authorize to:
ldap {
notfound = reject
}
> If I comment out unix from the authorize section of the default site, then access-reject
> is returned even when the password is valid and the search is successful.
The authorize section is special, it is not considered a failover group at the top level.
Any module called at the top level only sets the Autz-Type to decide which subsection
to run.
It could use some gloss, but https://wiki.freeradius.org/config/Fail-over explains this.
More information about the Freeradius-Users
mailing list