On 8/7/09 12:39, [email protected] wrote:
Hi,authorize { if((User-Name == User-Password)&& %{ldap:etc...}){ update control { Auth-Type := 'NULL' } } else { // Authentication modules } } Auth-Type NULL { ok }this is pretty uch what is already on the system - the trouble then is that people can then just login by using any account so long as the password is the same value eg hacker hacker they dont even need a valid account to actually authenticate.
Well the LDAP string expansion should make sure the account is actually valid... But you could use the LDAP module and check the return codes to do the same thing.
what we need is for the X=Y to work for authorise and then not give a damn about authentication - but, as said, looks like we cannot distinguish between auth and auth (if you get what I mean ;-) ) - if only we could send Service-Type from the device...
Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ? Arran -- Arran Cudbard-Bell <[email protected]>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
