I am authorizing wireless network cards in "users file" with radius server (old
cistron radius) and that is working fine
entry like:
121212-232323 Auth-Type = Accept
Only network card matching abov entry get access
Now I am building new radius server with FreeRadius and users information and
passwords are kept in Open-LDAP
I have following entry in my "users file"
DEFAULT Huntgroup-Name == "wireless", Service-Type == Framed-User,
Autz-Type:=zldap-macaddr, Auth-Type := Accept
Fall-Through = No
and this is in "radiusd.conf"
ldap ldap-macaddr {
server = "localhost"
identity = "cn=manager,dc=skrin,dc=local"
password = kept_secret
basedn = "ou=users,ou=internet,dc=skrin,dc=local"
filter =
"(&(macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless))"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_attribute = userPassword
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
}
I have also different sections for different huntgroups of the LDAP entry in
radiusd.conf for other services and they work fine.
The behaviour of the radius server is like that - authorize the client/user
(match against huntgroup and ldap attribute search) then authenticate the user
(trying to log into ldap server with user/password), but I have Auth-Type=
accept, that I understand is allowing everyone that matces the authorize
section. This breaks, it allows everyone that matches huntgroup but fails
authorize. Is this normal or not?
Þórður Ívarsson
Skrín ehf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
