I'm trying to set it up so, when a connection comes in from a certain NAS-IP-Address, and the user trying to connect has a specific Ldap Attribute set they won't be able to connect. I haven't been able to successfully figure out how to do this. I'm using FreeRadius 0.98. It matches default 93, then does ldap stuff, then because it auths with ldap is just returns. Is there a way to get it to go back to users so I can deny based on an ldap attribute?
This is what I have setup: huntgroup: ludo NAS-IP-Address == 255.255.255.255
users: DEFAULT Auth-Type = Ldap <= default 93 Fall-Through = 1
DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject Reply-Message = "woah."
I'm doing something similar but I filter this stuff in the ldap search filter. I setup two ldap modules in the radiusd.conf file:
ldap ldap_dsl {
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDSLEnabled=1)(aptAccountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dsl.attrmap
}
ldap ldap_dialup {
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDialupEnabled=1)(aptAccountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dialup.attrmap
}
authorize {
autztype ldap_dialup { ldap_dialup }
autztype ldap_dsl { ldap_dsl }
}Then in my users config file I define which ldap module to use based on nas:
DEFAULT Auth-Type := DSL, NAS-IP-Address == "x.x.x.x", Autz-Type := ldap_dsl Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1492
DEFAULT Auth-Type := DIALUP, NAS-IP-Address == "x.x.x.x", Autz-Type := ldap_dialup
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500
That way I can use a completely different search filter and attribute set for my dial and dsl nases. This gives me the ability to assign a different dialup and dsl static ip to the same user.
HTH,
schu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
