[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: using AND logic instead of OR logic with authorization?
From: Michael Hare <michael.hare () doit ! wisc ! edu>
Date: 2005-08-31 19:04:54
Message-ID: 4315FF56.1030401 () doit ! wisc ! edu
[Download RAW message or body]
Hello-
I'd like to authorize users based on their Calling-Station-Id via a
local users file and authenticate/authorize (simple access allowed flag)
via an ldap server. The reason I need to double authorize is because I
do not have rights to add/edit any data in the remote ldap server. I
need the authorization to essentially be an "AND" (ie, I need both
authorizations to return true in order to accept the user). Is this
possible?
I've tried doing this within a single radius instance, and I've also
tried having the ldap interaction happen via a radius proxy without
success. Here is my users file
DEFAULT Calling-Station-Id =~ "^144\.92\."
Service-Type = NAS-Prompt-User
Here is what a debug looks like
rad_recv: Access-Request packet from host 144.92.44.114:4447, id=30,
length=123
User-Name = "mdhare"
User-Password = "mypass"
NAS-Port = 2905
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "144.92.44.114"
Calling-Station-Id = "128.104.19.106"
Tunnel-Client-Endpoint:0 = "128.104.19.106"
NAS-IP-Address = 144.92.44.114
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
rlm_realm: No '@' in User-Name = "mdhare", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "mdhare"
rlm_realm: Proxying request from user mdhare to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
it as at this point I'd like authorization to stop, but it continues.
What am I doing wrong?
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 144.92.254.243:1812
...
...
rad_recv: Access-Accept packet from host 144.92.254.243:1812, id=0,
length=30
Service-Type = NAS-Prompt-User
Proxy-State = 0x3330
I'd be happy to provide configuration and output that I have now for
testing, but there's no sense in being verbose if this isn't possible in
general.
Thanks-
-Michael
--
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk: 608-262-5236
24 Hr Noc: 608-263-4188
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic