Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT

Peter Drucker druckers at
Mon Jun 11 04:31:34 CEST 2018

On Sun, Jun 10, 2018 at 12:39 PM, Alan DeKok <aland at>

> On Jun 9, 2018, at 11:01 PM, Peter Drucker <druckers at> wrote:
> >
> > This is what I want to 'happen':
> >
> > if any of the 'authenticate' modules 'reject' or 'notfound',
> >              check is 'policy' module says 'handled'.
> >              If it says 'handled', then
> >                  - retry 'authentication' with fall-through AD.
> >                  - 'fall-through' AD info is supplied by 'policy' module.
> >  How?  AD queries are done via ntlm_auth, or via the winbind module.
> What "info" is being supplied here?

> Yes, we use ntlm_auth and the AD domain info is passed dynamically.

> >              If 'policy' module says 'reject'
> >                  - come out of 'authenticate'
> >  The main issue there is that modules like MS-CHAP will return MS-CHAP
> error attributes.  So you can't just "fall through" to trying something
> else.  You also need to delete the MS-CHAP error attributes.

> Yes, this is the issue that I noticed when I tried to call
> 'rad_authenticate()' again in 'Post-Auth REJECT' work flow.

> >  Honestly, it's always better to do the right thing, and only the right
> thing.  It's bad to do something wrong, and then try to do the right thing.
> >  So *why* are you failing over to a different AD server?  Why not just
> try that AD server in the first place?
>    I have few AD servers at this time with some data being synchronized
but not all. So I've few users common between these AD's but I also have
some servers info that's not yet synchronized. So instead of simply using
redundant to automatically fall-through, I would like this to be
configurable based on some other characteristics from the policy module.

> >  If you want to catch the "reject" return code from a module, read this
> page:
> >
> blob/v3.0.x/doc/configuration/configurable_failover.rst
> >  It has examples for how to do configurable failover.
>     I tried this.
    authenticate {
        Auth-Type MS-CHAP {
            if (reject)
                reject = return

      I can see mschap returning reject, but it's not honoring the if
condition. Does it only handle just the return codes and not the 'if'
statement in authenticate flow?

  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> /users.html

More information about the Freeradius-Users mailing list