FreeRadius EAP Postgresql

Sat, 13 Sep 2003 11:26:25 -0700 

Hi,
I'm currently configuring a Freeradius 0.9.1 with EAP-TLS support and
Postgresql.
If I put in 'users' file 
DEFAULT Auth-Type := EAP

Everything works find, but if someone gets a certificate he can logs in.

I want to permit only user using postgresql.  What should I put into radcheck,
radreply and usergroup table to permit that.

log said that sql module returns ok
but my Auth-Type attribute is not handled, here is some table content:
radius=# select * from radcheck;
 id | username |   attribute   | op |  value   
----+----------+---------------+----+----------
  6 | greg     | Auth-Type     | := | EAP

(I don't know If I should put Auth-Type here)

radius=# select * from radreply;
 id | username | attribute | op | value 
----+----------+-----------+----+-------
  5 | greg     | Auth-Type | := | EAP

(I don't know If I should put Auth-Type here)

raddb/users :
DEFAULT Auth-Type := Reject
        Reply-Message = "high, low"

here is the query I use :
        authorize_group_check_query = "SELECT gct.id, gct.GroupName, gct.Attribute, 
gct.Value, gct.Op 
        FROM ${groupcheck_table} gct, ${usergroup_table} ugt 
        WHERE ugt.Username = '%{SQL-User-Name}' 
                AND ugt.GroupName = gct.GroupName 
        ORDER BY gct.id"

        authorize_group_reply_query = "SELECT grt.id, grt.GroupName, grt.Attribute, 
grt.Value, grt.Op 
        FROM ${groupreply_table} grt, ${usergroup_table} ugt 
        WHERE ugt.Username = '%{SQL-User-Name}' 
                AND ugt.GroupName = grt.GroupName 
        ORDER BY grt.id"

Note: theses are not the default one but they are verified to work ;p and tests were
performed with both (default and mine)


That's all, in many tests I've delete the Auth-Type attribute from tables and it 
didn't change
anything, the result was the same, the MATCHED was the one found in the users file.

Really thanks, I'm sure I've missed something but I don't see what ;]

The final purpose of this is to be able to remove access for someone just by
updating the good field containing the Auth-Type attribute to REJECT or to put
a specific user in a reject group...

-- 
[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to