Hi all, Currently using FR for PEAP authentication, with LDAP as user database.
I'm trying to do the following setup: certain AP only allow a selected group of users (determined by LDAP group) access and deny everyone else. While other AP allows all valid user. I'm using CVS snapshot 20040319. With RH 9. My huntgroups file, RestrictedAP NAS-IP-Address == 10.1.22.220 My users file, DEFAULT Ldap-Group == "cn=JKR,o=Office", Huntgroup-Name == RestrictedAP Fall-Through = no DEFAULT Huntgroup-Name != RestrictedAP Fall-Through = no DEFAULT Auth-Type := Reject When users connect to AP belonging to RestrictedAP. Those users belong to LDAP group "cn=JKR,o=Office" correctly matched to the first DEFAULT entry. But other users get matched to the 2nd DEFAULT entry instead of being rejected. Did I miss configured somewhere? Following is the connection log for user not belonging to the LDAP group, I only include the first RADIUS packet to keep this post short. What is interesting is that there are 2 huntgroups match statement, while for users in the LDAP group only 1 huntgroups match statement. rad_recv: Access-Request packet from host 10.1.22.220:6001, id=177, length=131 User-Name = "lasuser" NAS-IP-Address = 10.1.22.220 Called-Station-Id = "4a-db-93" Calling-Station-Id = "1c-08-e7" NAS-Identifier = "AP03" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000c016c617375736572 Message-Authenticator = 0xfe444a0ed5bd0c4ae0c0967bd6ea8ebe rad_lowerpair: User-Name now 'lasuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "lasuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=Office' radius_xlat: '(uid=lasuser)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Office, with filter (uid=lasuser) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=lasuser,o=Office))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=lasuser,o=Office)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=JKR,o=Office, with filter (|(&(objectClass=GroupOfNames)(member=uid=lasuser,o=Office))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=lasuser,o=Office))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=JKR,o=Office not found or user is not a member. huntgroups: Matched RestrictedAP at 1 huntgroups: Matched RestrictedAP at 1 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 11 rlm_ldap: - authorize rlm_ldap: performing user authorization for lasuser radius_xlat: '(uid=lasuser)' radius_xlat: 'o=Office' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Office, with filter (uid=lasuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user lasuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 11 modcall: group authenticate returns handled for request 11 Sending Access-Challenge of id 177 to 10.1.22.220:6001 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f451a390dc47f214d4bda0214f50ba8 Finished request 11 Going to the next request I can provide more info if needed. Any help greatly appreciated. __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html