[email protected] wrote:
I am using a passwd module to authorize users.
No, you are using passwd module to store passwords.
First passwd module
checks
It doesn't check anything - it returns the password stored for that user.
cisco_users file (format = "*User-Name:Cleartext-Password") and
then passwd module must check cisco_groups file (format =
"~Cisco-Group:*,User-Name"). However when passwd module checks the
cisco_user file, it returns status "ok" even when user password (in
request packet) doesnt match with cisco_user file.
As it should. As I mentioned before: it doesn't check passwords.
So i am able to
distinguish users only by their User-Name, but i need to check their
passwords as well.
Why? pap module does that.
I cannot figure out how to write that in my authorize
section.
Perhaps because that is not authorization but authentication.
Later, if username and password matches an entry in my
cisco_user file i will call cisco_group file and find to which group
that user belongs to assign the right services.
Well, freeradius does that before. You can actually reject the user
during authoriyation and not go for authentication at all.
currently my code looks like this:
passwd cisco_user_module {
#filename = /etc/group
filename = /usr/local/etc/raddb/cisco_users
#format = "=Etc-Group-Name:::*,User-Name"
format = "*User-Name:Cleartext-Password"
hashsize = 100
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}
authorize {
cisco_user_module
if(notfound){
update control{
Auth-Type := Reject
}
update reply{
Reply-Message := "Access denied, sorry!"
}
}
elseif(ok){
cisco_group_module
}
}
Make that just:
authorize {
cisco_user_module
cisco_group_module
pap
}
and than in post-auth
Post-Auth-Type REJECT {
update reply {
Reply-Message := "Access denied, sorry!"
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank You a lot, Ivan, You made my mind clearer! ;)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
