Hello again,
Hi,
Hi,
Is there a way to configure FreeRadius 2.1.10 to send Access-Reject
on users which don't match any of the defined groups?
I tried with:
DEFAULT Group-Name !* "", Auth-Type := Reject
Reply-Message = "Account rejected.",
Fall-Through = No
and
DEFAULT Group !* "", Auth-Type := Reject
Reply-Message = "Account rejected.",
Fall-Through = No
as the last and only rule in "users" but it isn't working,
freeradius still sends Access-Accept, even if the user does not
match any groups.
if the ONLY thing falling through to the end is incorrect stuff (ie you have
already dealt with group entries correctly above so they dont fall through then
DEFAULT Auth-Type := Reject
Reply-Message = "No group defined, Request rejected!"
alan
I've done that now but it's still not working for me, I guess I'm doing
something wrong (clearly!)...
Here is what I get from "freeradiusd -X" (the relevant parts):
rad_recv: Access-Request packet from host 10.0.100.108 port 40592,
id=172, length=118
Service-Type = Login-User
User-Name = "bogdan.enache"
CHAP-Challenge = 0x4a267011731eae5eda2de655b9b87f57
CHAP-Password = 0x00da19b2696591ba3e8644585715c52c5f
Calling-Station-Id = "172.16.108.30"
NAS-Identifier = "MKI"
NAS-IP-Address = 10.0.100.108
[..........]
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
[..........]
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'login' ORDER BY id
[sql] User found in group login
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'login' ORDER BY id
rlm_sql (sql): Released sql socket id: 5
++[sql] returns ok
[..........]
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [bogdan.enache/<CHAP-Password>] (from client MKI port 0
cli 172.16.108.30)
Using Post-Auth-Type Reject
[..........]
As you can see, it matches the rule in "users" first, and then the group
named "login" in MySQL. There is no other match.
Here is how I defined the group in MySQL:
mysql> select * from radgroupcheck where groupname = "login";
+----+-----------+--------------+----+------------+
| id | groupname | attribute | op | value |
+----+-----------+--------------+----+------------+
| 2 | login | Service-Type | == | Login-User |
+----+-----------+--------------+----+------------+
1 row in set (0.00 sec)
mysql> select * from radgroupreply where groupname = "login";
+----+-----------+--------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+--------------+----+-------+
| 40 | login | Fall-Through | = | No |
| 32 | login | Idle-Timeout | := | 1800 |
+----+-----------+--------------+----+-------+
2 rows in set (0.01 sec)
The user itself has only a check for "Cleartext-Password", nothing else.
I'm not sure what I'm doing wrong here...
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html