Thanks for the reply.

First, adding an else to the if statement doesn't really help. As that is
in the authorize section that simply queries AD via LDAP to check for
groups of the user. It uses an admin DN to bind and query, not the actual
user credentials (as this is a PEAP) request. So I actually need to set
that attribute in the authenticate section when I determine that
authentication had failed.

All that being said, I was unaware of what you stated in your second
paragraph. I did test that though. I just always return ACCEPT - ACCEPT
when the calling station ID was from the wireless controller. Even when I
provided wrong credentials radius returned ACCEPT-ACCEPT which indicated to
the controller it was successful and the user was able to get on WIFI (just
the wrong VLAN because LDAP found the user in a specific group and assigned
that VLAN).


On Wed, May 1, 2013 at 3:36 PM, <a.l.m.bu...@lboro.ac.uk> wrote:

> Hi,
>
> >            elsif (Ldap-Group == "netCoreClass-finance") {
> >                    update reply {
> >                            Tunnel-Private-Group-Id:1 := 124
> >                    }
> >            }
> >    Authentication is against Active Directory. So while a user may get
> >    assigned to a VLAN based of their group membership, if they fail to
> >    actually authenticate I want to change what VLAN they are assigned to
> >    (want to put them into a guest VLAN).
> >    How can I update reply attributes further down the chain?
>
>             else  {
>                     update reply {
>                             Tunnel-Private-Group-Id:1 := 666
>                     }
>
> >    The reason I am doing this is I have an old Cisco wireless LAN
> controller
> >    that can't fall back to MAC 802.1x authentication. Therefore if a user
> >    fails with their credentials they fail to authenticate all together.
> So
> >    when coming from the wireless LAN controller I want always Accept.
>
> what type of system is this? 802.1X ? if so, then you cant just blindly
> Access-Accept
> EAP auths if they've got incorrect user/pass - the WPA/WPA2 enterprise key
> is derived from
> mutual agreement.
>
> if, however, this is just eg PAP with some captive portal thing then
> that'd work.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to