Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT

Alan DeKok aland at
Sun Jun 10 18:39:57 CEST 2018

On Jun 9, 2018, at 11:01 PM, Peter Drucker <druckers at> wrote:
> This is what I want to 'happen':
> if any of the 'authenticate' modules 'reject' or 'notfound',
>              check is 'policy' module says 'handled'.
>              If it says 'handled', then
>                  - retry 'authentication' with fall-through AD.
>                  - 'fall-through' AD info is supplied by 'policy' module.

  How?  AD queries are done via ntlm_auth, or via the winbind module.  What "info" is being supplied here?

>              If 'policy' module says 'reject'
>                  - come out of 'authenticate'

  The main issue there is that modules like MS-CHAP will return MS-CHAP error attributes.  So you can't just "fall through" to trying something else.  You also need to delete the MS-CHAP error attributes.

  Honestly, it's always better to do the right thing, and only the right thing.  It's bad to do something wrong, and then try to do the right thing.

  So *why* are you failing over to a different AD server?  Why not just try that AD server in the first place?

  If you want to catch the "reject" return code from a module, read this page:

  It has examples for how to do configurable failover.

  Alan DeKok.

More information about the Freeradius-Users mailing list