@ 3APA3A
>I see no problem if authorization always succeeds.
>For your case you can change Auth-Type to MS-CHAP for VPN users. >If user
>is not VPN and he tries to use VPN account he will be authorized by
>ldap1 or ldap2 but he will not have NT-Password LM-Password >attribute
>and will not be authenticated by mschap. If user is vpn but tries to
>access non-vpn device he will not have password and will not be
>authenticated.
>For general case I bet it's impossible to have different authorization
>for different NAS.
No I cannot do it this way!! But before I try to explain to you why, please
read at the bottom what I have finally configured . I guess it will explain
it to you anyway! And for your bet! -- read below :-)
@ Kostas Kalevras
>Use Autz-Type. Setup your authorize section like this:
>authorize{
> autztype LDAP1{
> ldap1
> }
> autztype LDAP2{
> ldap2
> }
> autztype LDAP3{
> ldap3
> }
> files <-- users file module
> [...] <-- any other authorization modules
>}
>And in your users file:
>DEFAULT Autz-Type := LDAP1, Hunt-Group-Name == Dialin
>DEFAULT Autz-Type := LDAP2, Hunt-Group-Name == CAS
>DEFAULT Auth-Type := MS-Chap, Autz-Type := LDAP3, Hunt->Group-Name == VPN
Thanks for this hint. I ran accross Autz-Type but could not find helpfull
docmentation on it anywhere.
Anyway I found a different approch for my setting that seems to work quite
well.
See my changes below. I guess you will get the idea!
Freeradius now sets a special attribte to VPN DIAL or CAS depending on the
origin (NAS) of the request. Than I use this attribute to search for ist
Value in the LDAP-user-account! If it is there rlm_ldap returns ok otherwise
the user is rejected.
Thanks to the "User-Profile" attribute I can still define different
default-profiles-values for the different NAS`s .
======================== user.file ===================
DEFAULT NAS-Port-ID == 11, User-Profile :=
"cn=RadiusVpnDefault,dc=uni,dc=de"
accessattribute = VPN,
Fall-Through = No
DEFAULT NAS-Port-ID == 22, User-Profile :=
"cn=RadiusDialDefault,dc=uni,dc=de"
accessattribute = DIAL,
Fall-Through = No
DEFAULT NAS-Port-ID == 33, User-Profile :=
"cn=RadiusCasDefault,dc=uni,dc=de"
accessattribute = CAS,
Fall-Through = No
================== radiusd.conf =====================
ldap {
server = "localhost"
identity = "cn=admin,dc=donknow,dc=de"
password = 12345678
basedn = "dc=downknow,dc=de"
authtype = "MS-CHAP"
#filter = "(uid=%u)"
filter = "(&(IsAllowedToDo=%{reply:accessattribute})(|(uid=%u)(uid=%U)))"
# for example %{reply:accessattribute} would become "CAS" if the requesting
NAS would have Port-ID == 33!!
'# "IsAllowedToDo" can of course be any multi valued attribute name in LDAP
and has to be defined in th radius.schema!!
# %U is here, only because I need to search for the stripped-user-name OR
the user-name!
......
authorize {
preprocess
files
ldap
}
.........
authenticate {
mschap
}
=================== Dictonary ==========================
ATTRIBUTE accessattribute 1111 string
#VALUE accessattribute VPN 1
#VALUE accessattribute DIAL 2
#VALUE accessattribute CAS 3
====================ldap.attrrmap=========================
#For MS-chap to work lm- and ntPpassword have to be checkitems
----------------------------------------------------------------------------
----------------------------------
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
----------------------------------------------------------------------------
-----------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
