On Sat, Sep 13, 2003 at 06:37:03PM -0400, Alan DeKok wrote:
> [EMAIL PROTECTED] wrote:
> > I'm currently configuring a Freeradius 0.9.1 with EAP-TLS support and
> > Postgresql.
>
> That won't work.
>
> > Everything works find, but if someone gets a certificate he can logs in.
>
> That's what EAP-TLS is supposed to do.
>
> > (I don't know If I should put Auth-Type here)
>
> Don't set 'Auth-Type := EAP' *anywhere*. It's automatically set by
> the EAP module.
I've set it in the radgroupcheck as this :
radius=> select * from radgroupcheck;
id | groupname | attribute | op | value
----+-------------+-----------+----+--------
1 | wifi_valid | Auth-Type | := | EAP
2 | wifi_reject | Auth-Type | := | Reject
>
> > The final purpose of this is to be able to remove access for someone just by
> > updating the good field containing the Auth-Type attribute to REJECT or to put
> > a specific user in a reject group...
>
> Hmm... the EAP module may over-write a REJECT with EAP. THat's not
> good.
radius=> select * from usergroup;
id | username | groupname
----+----------+-------------
4 | greg | wifi_valid
5 | nico | wifi_reject
./radtest nico pouet 127.0.0.1 1812 testing123
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
./radtest greg pouet 127.0.0.1 1812 testing123
modcall: group authorize returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group Auth-Type
rlm_eap: EAP-Message not found
^^^^^^^^
because of radtest.
EAP gets called because I've set up Auth-Type EAP
EAP for user nico is not called because of Auth-Type Reject.
The big problem I was facing is also
DEFAULT Auth-Type := System
(taken from my twisted mind)
That don't work, but
DEFAULT Auth-Type = System
(taken from dist file)
works !
Configuration files skeleton are really useful ;)
--
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
