Greetings, I have a best practices question. I am currently building a freeradius+LVS cluster to replace an existing radius server. In the process I am trying to do things as solidly as possible. Part of this process is tidying up the users file. In the process I noticed a rule that made me a little squishy.
The purpose of the rule is to handle incoming requests from a cisco pix for VPN authentication. It is supposed to validate it using ntlm_auth. There are two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one is for ntlm_auth_plaintext. I tested this rule with radtest (Making the necessary modifications and it worked fine. DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this? While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
