Hello all,
I encounter difficulties to check for a radiusgroupname via LDAP by not
using file /etc/raddb/users, as this seems to be difficult to avoid ldap
checks for anonymous identities if default config is modified.
I must service eap-peap and eap-ttls with mschapv2.
How can i make checks on
On Tue, Jun 01, 2010 at 12:41:38PM +0200, Fred MAISON wrote:
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} == wireless ) {
noop
} else {
Fred MAISON wrote:
How can i make checks on ldap radiusgroupnale without using the user
file ?
Use attribute comparisons just like the users file.
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} ==
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != wireless)
evaluates to TRUE ...
NOTE : user has multiple radiusgroupname
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap]
Fred MAISON wrote:
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != wireless)
evaluates to TRUE ...
Err that's fairly broken right now. Try:
if (!(LDAP-Group == wireless)) {
...
The reasons for this
Thanks, Alan.
It seems to work with the following :
in sites-enabled/default :
post-auth {
if ( EAP-Type == Cisco-LEAP ) {
if (!(Ldap-Group == wireless)) {
fail
}
}
.
in sites-anabled/inner-tunnel :
post-auth {
6 matches
Mail list logo