using AND logic instead of OR logic with authorization?

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

using AND logic instead of OR logic with authorization?

Michael Hare
Hello-

I'd like to authorize users based on their Calling-Station-Id via a
local users file and authenticate/authorize (simple access allowed flag)
via an ldap server.  The reason I need to double authorize is because I
do not have rights to add/edit any data in the remote ldap server.  I
need the authorization to essentially be an "AND" (ie, I need both
authorizations to return true in order to accept the user).  Is this
possible?

I've tried doing this within a single radius instance, and I've also
tried having the ldap interaction happen via a radius proxy without
success.  Here is my users file

DEFAULT Calling-Station-Id =~ "^144\.92\."
        Service-Type = NAS-Prompt-User

Here is what a debug looks like

rad_recv: Access-Request packet from host 144.92.44.114:4447, id=30,
length=123
         User-Name = "mdhare"
         User-Password = "mypass"
         NAS-Port = 2905
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Called-Station-Id = "144.92.44.114"
         Calling-Station-Id = "128.104.19.106"
         Tunnel-Client-Endpoint:0 = "128.104.19.106"
         NAS-IP-Address = 144.92.44.114
         NAS-Port-Type = Virtual
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "attr_filter" returns noop for request 0
     rlm_realm: No '@' in User-Name = "mdhare", looking up realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "mdhare"
     rlm_realm: Proxying request from user mdhare to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Preparing to proxy authentication request to realm "NULL"
   modcall[authorize]: module "suffix" returns updated for request 0
   modcall[authorize]: module "files" returns notfound for request 0

it as at this point I'd like authorization to stop, but it continues.
What am I doing wrong?

modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 144.92.254.243:1812
...
...
rad_recv: Access-Accept packet from host 144.92.254.243:1812, id=0,
length=30
         Service-Type = NAS-Prompt-User
         Proxy-State = 0x3330


I'd be happy to provide configuration and output that I have now for
testing, but there's no sense in being verbose if this isn't possible in
general.

Thanks-
-Michael


--
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk:      608-262-5236
24 Hr Noc: 608-263-4188
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html