'using AND logic instead of OR logic with authorization?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    using AND logic instead of OR logic with authorization?
From:       Michael Hare <michael.hare () doit ! wisc ! edu>
Date:       2005-08-31 19:04:54
Message-ID: 4315FF56.1030401 () doit ! wisc ! edu
[Download RAW message or body]

Hello-

I'd like to authorize users based on their Calling-Station-Id via a 
local users file and authenticate/authorize (simple access allowed flag) 
via an ldap server.  The reason I need to double authorize is because I 
do not have rights to add/edit any data in the remote ldap server.  I 
need the authorization to essentially be an "AND" (ie, I need both 
authorizations to return true in order to accept the user).  Is this 
possible?

I've tried doing this within a single radius instance, and I've also 
tried having the ldap interaction happen via a radius proxy without 
success.  Here is my users file

DEFAULT Calling-Station-Id =~ "^144\.92\."
        Service-Type = NAS-Prompt-User

Here is what a debug looks like

rad_recv: Access-Request packet from host 144.92.44.114:4447, id=30, 
length=123
         User-Name = "mdhare"
         User-Password = "mypass"
         NAS-Port = 2905
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Called-Station-Id = "144.92.44.114"
         Calling-Station-Id = "128.104.19.106"
         Tunnel-Client-Endpoint:0 = "128.104.19.106"
         NAS-IP-Address = 144.92.44.114
         NAS-Port-Type = Virtual
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "attr_filter" returns noop for request 0
     rlm_realm: No '@' in User-Name = "mdhare", looking up realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "mdhare"
     rlm_realm: Proxying request from user mdhare to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Preparing to proxy authentication request to realm "NULL"
   modcall[authorize]: module "suffix" returns updated for request 0
   modcall[authorize]: module "files" returns notfound for request 0

it as at this point I'd like authorization to stop, but it continues. 
What am I doing wrong?

modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 144.92.254.243:1812
...
...
rad_recv: Access-Accept packet from host 144.92.254.243:1812, id=0, 
length=30
         Service-Type = NAS-Prompt-User
         Proxy-State = 0x3330


I'd be happy to provide configuration and output that I have now for 
testing, but there's no sense in being verbose if this isn't possible in 
general.

Thanks-
-Michael


-- 
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk:      608-262-5236
24 Hr Noc: 608-263-4188
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic