On Tue, 24 May 2005, Dustin Doris wrote:
> > ------------
> > huntgroups:
> >
> > testgroup NAS-IP-Address == 10.0.0.1 (for the purpose of this
> > exercise, my test client)
> > User-Name = randomuser,
>
> Not sure if it matters, but you don't need this comma since its the last
> value.
Thanks. I was going by the example in the huntgroups file, which has the
comma. The server doesn't appear to care either way.
>
> >
> > ------------
> > users:
> >
> > DEFAULT Huntgroup-Name == testgroup, Auth-Type = Kerberos
> > Fall-Through = No
>
> That should be Auth-Type :=, as = is not allowed as a check item (man 5
> users)
Again, thanks. I definitely need to be more careful about that.
> I don't understand what you are trying to do here. If you match the first
> entry, it says Auth-Type := kerberos. If you don't match the first entry,
> then you will fall through to the default of Auth-Type := kerberos.
>
> Are you trying to make it so that if you are NOT in the huntgroup, then
> you will be rejected? Or are you trying to make it so if you are not in
> the Huntgroup you don't get those default reply values?
Sorry for the confusion. I'm wanting it so that only users in the
huntgroups file are able to authenticate from a certain NAS address. So
I want anyone with a kerberos username/password to authenticate from the
modem pool and VPN, I want only certain users to be able to authenticate
from the firewall.
>
> If you want to reject the user if they are not in the huntgroup, then you
> need to change the DEFAULT to
>
> DEFAULT Auth-Type := Reject
>
> Otherwise, why even have it match the Huntgroup if you are going to be
> authenticating in the same manner, regardless?
I /think/ I read this correctly, so I changed my users file to look like
this:
DEFAULT Huntgroup-Name == testgroup, Auth-Type := Kerberos
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP,
Fall-Through = No
DEFAULT Auth-Type := Reject
Now it rejects everyone, regardless of where they're coming from and who
they are. In the debug file, it says "Matched DEFAULT at 19" (line 19 is
where the DEFAULT Auth-Type := Reject line is. I get:
Tue May 24 11:15:04 2005 : Debug: users: Matched DEFAULT at 19
Tue May 24 11:15:04 2005 : Debug: modcall[authorize]: module "files"
returns ok
Tue May 24 11:15:04 2005 : Debug: modcall: group authorize returns ok
Tue May 24 11:15:04 2005 : Debug: rad_check_password: Found Auth-Type
Reject
Tue May 24 11:15:04 2005 : Debug: rad_check_password: Auth-Type =
Reject, rejecting user
Tue May 24 11:15:04 2005 : Debug: auth: Failed to validate the user.
Tue May 24 11:15:04 2005 : Auth: Login incorrect: [myusername] (from
client testclient port 0)
It's as if it completely ignores the section where I have my
huntgroup-name.
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
