RE: EAP-TLS reject if CN not in MySQL

2005-09-28 Thread Jonathan De Graeve 
In Doc:

imply a group that changes the default ACTIONs to something like

  fail = 1
  everythingelse = return

Tried in config:

everythingelse = return

radiusd.conf[1637] Unknown module rcode 'everythingelse'.

Also tried:

everything_else = return

radiusd.conf[1637] Unknown module rcode 'everything_else'.

Any ideas?



-- 
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]

-
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
-
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Ben
Dowling
Verzonden: dinsdag 27 september 2005 22:42
Aan: FreeRadius users mailing list
Onderwerp: Re: EAP-TLS reject if CN not in MySQL

Brilliant, that does the trick.

Thanks a lot, Ben

On Tue, 2005-09-27 at 16:05 -0400, Alan DeKok wrote:
 Ben Dowling [EMAIL PROTECTED] wrote:
  Sorry I was referring to the username, the CN in the certificate
gets
  sent as the username. My problem is how to reject users with valid
  certificates, but no entry in the database?
 
   doc/configurable_failover
 
   configure a module always reject (see radiusd.conf)
 
   In authorize, do:
 
   ...
   group {
 sql {
 notfound = 1
 ok = return
 fail = return
 everything_else = return
 }
 reject
   }
 
   That says if the user isn't found in SQL, reject
 
   Alan DeKok.
 - 
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS reject if CN not in MySQL

2005-09-28 Thread Alan DeKok 
Jonathan De Graeve [EMAIL PROTECTED] wrote:
 imply a group that changes the default ACTIONs to something like
 
   fail = 1
   everythingelse = return
 
 Tried in config:
 
 everythingelse = return
 
 radiusd.conf[1637] Unknown module rcode 'everythingelse'.

  It was NOT meant to be taken literally.

 Any ideas?

  Read doc/configurable_failover, and type in all the other return
codes by hand.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS reject if CN not in MySQL

2005-09-27 Thread Ben Dowling 

Hi,

I still haven't figured this one out, and would really appreciate some 
help. I've tried playing around with the DEFAULT profile in the users 
file, giving it Auth-Type: Reject, but certificates with CN not in the 
database are still authenticated. How do I get freeradius to check for 
the username in mysql with EAP-TLS?


Cheers, Ben

Ben Dowling wrote:


Hi,

I have freeradius-1.04 configured with MySQL using EAP-TLS and PEAP 
for authentication. I wish to reject users whose common name (CN) is 
not included in the MySQL database. I have read the thread regarding 
this exact problem at:


http://lists.cistron.nl/pipermail/freeradius-users/2004-May/032110.html

and it seems I need to set the DEFAULT profile to reject. I don't 
quite understand the thread though, is this the DEFAULT profile in the 
users file, or can I configure this in MySQL. Either way, could 
someone please provide me with an example of what the DEFAULT profile 
entry should look like in order to achieve this?


Thanks for the help,

Ben Dowling
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS reject if CN not in MySQL

2005-09-27 Thread Alan DeKok 
Ben Dowling [EMAIL PROTECTED] wrote:
 I still haven't figured this one out, and would really appreciate some 
 help. I've tried playing around with the DEFAULT profile in the users 
 file, giving it Auth-Type: Reject, but certificates with CN not in the 
 database are still authenticated. How do I get freeradius to check for 
 the username in mysql with EAP-TLS?

  I don't recall if you can get at the CN from the certificate.  Maybe
try keying off of the User-Name?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS reject if CN not in MySQL

2005-09-27 Thread Ben Dowling 
Sorry I was referring to the username, the CN in the certificate gets
sent as the username. My problem is how to reject users with valid
certificates, but no entry in the database?

Cheers, Ben

On Tue, 2005-09-27 at 14:01 -0400, Alan DeKok wrote:
 Ben Dowling [EMAIL PROTECTED] wrote:
  I still haven't figured this one out, and would really appreciate some 
  help. I've tried playing around with the DEFAULT profile in the users 
  file, giving it Auth-Type: Reject, but certificates with CN not in the 
  database are still authenticated. How do I get freeradius to check for 
  the username in mysql with EAP-TLS?
 
   I don't recall if you can get at the CN from the certificate.  Maybe
 try keying off of the User-Name?
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS reject if CN not in MySQL

2005-09-27 Thread Alan DeKok 
Ben Dowling [EMAIL PROTECTED] wrote:
 Sorry I was referring to the username, the CN in the certificate gets
 sent as the username. My problem is how to reject users with valid
 certificates, but no entry in the database?

  doc/configurable_failover

  configure a module always reject (see radiusd.conf)

  In authorize, do:

...
group {
  sql {
  notfound = 1
  ok = return
  fail = return
  everything_else = return
  }
  reject
}

  That says if the user isn't found in SQL, reject

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html