password failover

Norbert Wegener norbert.wegener at siemens.com
Wed Feb 6 14:19:56 CET 2008


Alan DeKok schrieb:
> jonr at destar.net wrote:
>   
>> How do I set up a freeradius server so that if the password fails for
>> the primary radius server it tries the secondary for the password.
>>     
>
>   In 2.0.1, you should be able to do:
>
> authenticate {
> 	...
> 	Auth-Type pap {
> 		pap
> 		if (reject) {
> 			update control {
> 				Proxy-To-Realm := "realm"
> 			}
> 			ok
> 		}
> 	}
> 	...
> }
>
>
>   
Should this kind of mechanism in 2.0.1 also be able to do something 
similar for eap?

In case I have this debug output:

Wed Feb  6 14:14:40 2008 : Debug:   rlm_eap_tls: >>> TLS 1.0 Alert 
[length 0002], fatal certificate_expired  ^M
Wed Feb  6 14:14:40 2008 : Error: TLS Alert write:fatal:certificate 
expired ^M
Wed Feb  6 14:14:40 2008 : Error:     TLS_accept:error in SSLv3 read 
client certificate B ^M
Wed Feb  6 14:14:40 2008 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned^M
Wed Feb  6 14:14:40 2008 : Error: rlm_eap_tls: SSL_read failed in a 
system call (-1), TLS session fails.^M
Wed Feb  6 14:14:40 2008 : Debug:   eaptls_process returned 13 ^M
Wed Feb  6 14:14:40 2008 : Debug:   rlm_eap: Freeing handler^M
Wed Feb  6 14:14:40 2008 : Debug:   modsingle[authenticate]: returned 
from eap (rlm_eap) for request 9^M
Wed Feb  6 14:14:40 2008 : Debug: ++[eap] returns reject^M

I would like to send  more  information than simply "reject" to 
radpostauth, something like: Certificate error


        Auth-Type eap {
                eap
                if (reject) {
                update control {
                        Module-Failure-Message := "Certificate error"
                        }
                         }
                         reject
                }
                }

and  in radiusd.conf:
 Post-Auth = "INSERT INTO ${postauth_table} ....values (... 
'%{control:Module-Failure-Message}',.. )

This does not work for me. Is it expected to do what I want and I have a 
configuration error? Or is this not the right way to do this? If it 
should work: What's the fault here?

Thanks
Norbert Wegener



>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list