On Wed, 2007-03-14 at 16:08 -0300, Matt Ashfield wrote: > Ok, the users file it is! Thanks! > > I guess I was hoping for a link to an example of some sort. Because the user > who would be given access is not explicitly defined in the users file (the > users is defined in LDAP), I'm not sure how to setup a rule for that person. > > Thanks again, > > Cheers > > Matt > [EMAIL PROTECTED]
You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: "admin1" NAS-Port-Type == "Virtual", Auth-Type = LDAP "admin2" NAS-Port-Type == "Virtual", Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == "Virtual", Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
