"Chris A. Kalin" <[EMAIL PROTECTED]> wrote: > We have [EMAIL PROTECTED] and bob. Bob (the local user) is disabled, he's > in a certain group on my server that locks him out completely. On my > backup RADIUS server, which is version 0.8-pre, I get the expected > behavior - if bob tries to log in, he gets a "Your account has been > disabled" message, but if [EMAIL PROTECTED] tries to log in, the proxy > request goes to the remote server and it'll work.
OK... > But on 1.1.3 I get weird results. Bob (local) gets the same "disabled" > message, but so does [EMAIL PROTECTED] But if I take bob out of the local > passwd file, [EMAIL PROTECTED] proxies to where it's supposed to go and > works fine. What's even weirder is in the above failure, I don't even > get anything in radius.log about [EMAIL PROTECTED] failing auth - I have to > hear about it from the customer himself. In 1.1.3, the account lockouts in /etc/passwd are handled by the unix module, unless you've got something else set up. And the unix module only has an "authenticate" handler. That means it's run only if "Auth-Type = System", and never for proxying. Please post a config & debug logs from 1.1.3. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
