________________________________
From: Alan DeKok <al...@deployingradius.com>
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Sent: Thu, January 28, 2010 1:00:47 AM
Subject: Re: Allowing Access via 'users' when LDAP fails
Amaru Netapshaak wrote:
> Right now, if a user
> isnt found in the LDAP database, a reject is returned to the switch and
> the port goes
> offline. What I'd rather have,is RADIUS reply with a standard response
> (if the LDAP
> auth fails).
See doc/configurable_failover for over-riding return codes.
> I tried to do this in the users file, by moving 'files' to below 'ldap'
> in sites-enabled/default
> and then creating a DEFAULT entry in users that returned the VLAN
> information I wanted,
> but then it didnt include other relevant info that the switch needs.
That won't work.
What you want is:
ldap
if (notfound) {
update reply {
... insert attributes here...
}
}
You don't need the "users" file.
Alan DeKok.
Alan,
Thanks for your reply, I consulted the failover document as you suggested, but
it seems that I cannot turn a REJECT into an ACCEPT
that way, which is my problem. LDAP/EAP will reject an unauthorized user as it
isnt found in LDAP, but I need FreeRADIUS to say "ACCEPT"
this user anyways, include the right EAP information, as would a Access-Accept
message, and also include my VLAN attributes (done as you
described above)
Just cant seem to turn REJECT into ACCEPT. Any more tips?
Thanks!
AMARU
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
