Ok, solution 1 is good enought, and i can solve problem with it. But solution 2 (with SMB-Account-CTRL) not work for me.
I set SMB-Account-CTRL := 16 (17) In radcheck and in radreply, but ther is no effect on authorisation process. At this moment i don't clearly understand process of Authorization, Authentication. I have read doc/aaa.txt (How Authorization, Authentication, and Accounting requests are handled) file but some corners is dark at this time. for example radius recive access request with some Attribute - Value pairs. Server begins Authorisation process - collect data about user, by calling modules from authorize section. So, question, why important order of check modules ? As i write in early letter, i switching sql and mschap module and user recive Access Deniend. or another question When i specify some attributes in sql DB in radreply - would that attributes be included in Reply Message to the client? If so, how SMB-Account-CTRL would be considered if radius return Access-Accept? > -----Original Message----- > From: 3APA3A [mailto:[EMAIL PROTECTED]] > Sent: 24 января 2003 г. 12:28 > To: [EMAIL PROTECTED]; Roman Bessyadovskii > Cc: [EMAIL PROTECTED] > Subject: Re: sql and MSCHAP and disabling user. > > > Dear Roman Bessyadovskii, > > Including mschap into authorize{} section with "authtype" > configured in > mschap module configuration informs mschap module > it should > automatically detect MS-CHAP handshake and set auth to > MS-CHAP if one is > found. > > I see 2 possible solutions: > 1. Remove authtype in mschap configuration. If you need > both PAP and > MS-CHAP to work you can create authenticate{} group from pap > and mschap. > 2. Add SMB-Account-CTRL parameter. > > SMB-Account-CTRL should be 16 for normal account, 17 for > disabled account > and 1025 for auto locked account. In general case it's > combination > of OR'ed flags: > > #define ACB_DISABLED 0x0001 /* 1 = User account disabled */ > #define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory required */ > #define ACB_PWNOTREQ 0x0004 /* 1 = User password not required */ > #define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate account */ > #define ACB_NORMAL 0x0010 /* 1 = Normal user account */ > #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ > #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ > #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ > #define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ > #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ > #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ > > (ACB_NORMAL should always present, otherwise account is ignored) > > Having SMB-Account-CTRL gives you additional advantage, > because you > Windows users will get valid message ("account disabled" > or "account > locked out") instead of "invalid password". > > --Friday, January 24, 2003, 10:45:15 AM, you wrote to > [EMAIL PROTECTED]: > > RB> Hi All. > > RB> I need to setup vpn server with radius login and store > passwords in sql. > RB> I have install all correctly (poptop, ppp, freeradius, mysql), and > RB> configure, users can connect, and go throw the vpn. > > RB> And, i what to temporary disable user, but i can't. > > RB> That's what i do. > > RB> mysql> select * from radcheck; > RB> +----+----------+---------------+----+--------+ > RB> | id | UserName | Attribute | op | Value | > RB> +----+----------+---------------+----+--------+ > RB> | 1 | test | User-Password | == | test | > RB> | 2 | test | Auth-Type | == | Reject | > RB> +----+----------+---------------+----+--------+ > > >>From radiusd.conf : > RB> authorize { > RB> preprocess > RB> chap > RB> suffix > RB> sql > RB> # > RB> # If the users are logging in with an MS-CHAP-Challenge > RB> # attribute for authentication, the mschap > module will find > RB> # the MS-CHAP-Challenge attribute, and add > 'Auth-Type := MS-CHAP' > RB> # to the request, which will cause the server to > then use > RB> # the mschap module for authentication. > RB> mschap > > RB> } > > RB> As describd in comment, MS-CHAP add (or rewrite) > Auth-Type for MS-CHAP and > RB> user can login independent of Reject in sql table. > > RB> If in authorize section i switch sql and mschap module > and set next order > RB> authorize { > RB> ... > RB> mschap > RB> sql > RB> } > > RB> In that configuration i recive reject if disble user in > sql table, but also > RB> recive reject with normal (not disabled users) with > following log (radiusd > RB> -X). > > RB> rlm_sql (sql): Released sql socket id: 4 > RB> modcall[authorize]: module "sql" returns ok > RB> modcall: group authorize returns ok > RB> rad_check_password: Found Auth-Type MS-CHAP > RB> auth: type "MS-CHAP" > RB> modcall: entering group authtype > RB> rlm_mschap: No LM/NT password configured. Check authorization. > RB> modcall[authenticate]: module "mschap" returns invalid > RB> modcall: group authtype returns invalid > RB> auth: Failed to validate the user. > RB> Login incorrect: [test/<no User-Password attribute>] > (from client localhost > RB> port 0) > RB> Delaying request 0 for 1 seconds > > RB> How i need to configure radius for propertly work? > RB> Or how i can disable user in that configuration? > > RB> Thaks. > > RB> Rick. > > RB> - > RB> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > -- > ~/ZARAZA > Ну а теперь, Уильям, хорошенько поразмыслите над данным > письмом. (Твен) > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
