On 6/26/06, duckeo <[EMAIL PROTECTED]> wrote:
The aim is to authenticate users to their MS active directory account
via LDAP, and then check that the user is a member of the WirelessVPN
group -- if these two conditions meet then the user is granted access.
What's happening at the moment is as long as the user EXISTS the
authentication will pass, even if the password is incorrect. If the
useraccount does not exist it will fail.
Found the problem, looks like I'm not supposed to have Auth-Type :=
Accept at the end of the lines?
I now have:
# successful, user has LDAP password and Group access
DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255
# User does not have the correct password
DEFAULT Auth-Type != LDAP, Auth-Type := Reject
Reply-Message = "Access Rejected - Please check your username
and password and try again."
# User is not a member of the correct group
DEFAULT Ldap-Group == "RadiusWirelessVPN", Auth-Type := Reject
Reply-Message = "Access Rejected - You do not have permission
to log onto this service."
#default reject
DEFAULT Auth-Type := Reject
Reply-Message = "Access Rejected - Please check your username
and password and try again."
Is this the correct way to be handling errors? Functionally it works
but it is not sending back the correct messages (i.e. hitting the
correct rule) upon failing
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
