________________________________ From: Alan DeKok <al...@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thu, January 28, 2010 1:00:47 AM Subject: Re: Allowing Access via 'users' when LDAP fails Amaru Netapshaak wrote: > Right now, if a user > isnt found in the LDAP database, a reject is returned to the switch and > the port goes > offline. What I'd rather have,is RADIUS reply with a standard response > (if the LDAP > auth fails). See doc/configurable_failover for over-riding return codes. > I tried to do this in the users file, by moving 'files' to below 'ldap' > in sites-enabled/default > and then creating a DEFAULT entry in users that returned the VLAN > information I wanted, > but then it didnt include other relevant info that the switch needs. That won't work. What you want is: ldap if (notfound) { update reply { ... insert attributes here... } } You don't need the "users" file. Alan DeKok. Alan, Thanks for your reply, I consulted the failover document as you suggested, but it seems that I cannot turn a REJECT into an ACCEPT that way, which is my problem. LDAP/EAP will reject an unauthorized user as it isnt found in LDAP, but I need FreeRADIUS to say "ACCEPT" this user anyways, include the right EAP information, as would a Access-Accept message, and also include my VLAN attributes (done as you described above) Just cant seem to turn REJECT into ACCEPT. Any more tips? Thanks! AMARU
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html