using AND logic instead of OR logic with authorization?
I'd like to authorize users based on their Calling-Station-Id via a
local users file and authenticate/authorize (simple access allowed flag)
via an ldap server. The reason I need to double authorize is because I
do not have rights to add/edit any data in the remote ldap server. I
need the authorization to essentially be an "AND" (ie, I need both
authorizations to return true in order to accept the user). Is this
I've tried doing this within a single radius instance, and I've also
tried having the ldap interaction happen via a radius proxy without
success. Here is my users file
rad_recv: Access-Request packet from host 18.104.22.168:4447, id=30,
User-Name = "mdhare"
User-Password = "mypass"
NAS-Port = 2905
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "22.214.171.124"
Calling-Station-Id = "126.96.36.199"
Tunnel-Client-Endpoint:0 = "188.8.131.52"
NAS-IP-Address = 184.108.40.206
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
rlm_realm: No '@' in User-Name = "mdhare", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "mdhare"
rlm_realm: Proxying request from user mdhare to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
it as at this point I'd like authorization to stop, but it continues.
What am I doing wrong?
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 220.127.116.11:1812
rad_recv: Access-Accept packet from host 18.104.22.168:1812, id=0,
Service-Type = NAS-Prompt-User
Proxy-State = 0x3330
I'd be happy to provide configuration and output that I have now for
testing, but there's no sense in being verbose if this isn't possible in
UW-Madison + WiscNet Network Engineering
24 Hr Noc: 608-263-4188
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html