Re: denying access to user from device

Fri, 15 Sep 2006 08:49:54 -0700

Where is your "files" declaration in the authorize section?  Do you see the server looking at your users file in the debug messages?  If the users file is never processed, I don't think Autz-Type will be set as you intend.

Try
authorize {
        preprocess
        files
        eap
        mschap
        Autz-Type LDAP {
                ldap
        }
        Autz-Type LDMS {
                ldap
                sql
        }
}


Regards,
Lin



On 9/15/06, Rob Shepherd <[EMAIL PROTECTED] > wrote:
[EMAIL PROTECTED] wrote:
>
>
>
>  > Rob Shepherd wrote:
>  > TYPO!
>  >
>  > DEFAULT HuntGroup-Name == ciscovpnc
>  >          Autz-Type := ldap
>  >
>  > ...is how it looks in raddb/user.
>
> You need to put the Autz-Type on the first line as a check item.
>
> DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap

Thanks to Alan D. and Garret M. for their comments..

However , neither ldap nor sql are checked at all in any case now.  I've
not quite got it right....

I've since ditched declaring raddb/huntgroups, as a simplifying
exercise. I'm checking for NAS-IP-Address instead in raddb/users.

raddb/users now looks like this


DEFAULT Auth-Type := PAP
         Fall-Through = yes

# wlan controller - needs LDAP and MySQL
DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS
         Tunnel-Type = VLAN,
         Tunnel-Medium-Type = IEEE-802,
         Fall-Through = yes

# vpn concentrator - only LDAP
DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP
         Fall-Through = yes


radiusd has this..

authorize {
         preprocess
         eap
         mschap
         Autz-Type LDAP {
                 ldap
         }
         Autz-Type LDMS {
                 ldap
                 sql
         }
}

The modules section is as it was when wireless was working. I can see
with -X that the ldap and sql modules are instantiated fine.

Here's the only processing that is done.

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.


If anybody would be so kind as to point me in the right direction....

Thanks IA

Rob

--
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
[EMAIL PROTECTED] | 01248 675024 | 077988 72480
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to