Hi Jérôme,

 

How will you know if the user has lost his token? Presumably they would show up in the SQL database, yes? And when they are issued a new one, you remove them from the SQL database, correct?

 

If that is the case, you should now think in reverse:

 

1.       If the user shows up in the SQL database, don’t bother with the token because the token is stolen/lost.

2.       If the user does NOT show up in the SQL database, use standard authentication

 

However, you *MUST* familiarise yourself with the following URL:  http://deployingradius.com/documents/protocols/compatibility.html

 

It maps which authentication methods can be used with which password storage mechanism. If your user is going to have to be able to authenticate against a SQL database or Active Directory for example, your SQL database has to store the NTLM hash of his/her password.

 

The authorize section should allow you to check whether the user exists in the SQL table or not, and if they do, retrieve the password value (you will have to write the queries to do this though). You can use ‘unlang’ to do that.

 

What Alan D is saying though is that there is no ‘fallback’ mechanism like some other authentication services have (like CAS, but that’s another story).

 

Stefan

 

 

From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Jérôme MATER
Sent: 07 May 2014 16:34
To: FreeRadius users mailing list
Subject: Re: Concatenation of authentication

 


Hi Alan,

Thanks for your answer.

There 4000 users! And the priority is the authentication with token.
SQL database should be use only if  a user loses his token.

The solution would be to have 2 freeradius, one for token authentication and the other one for SQL database ?

Regards,
Jérôme


Le 07/05/2014 13:14, Alan DeKok a écrit :

Jérôme MATER wrote:
I have made both configurations and it works separately. However, the
goal is :
 
1) I want to authenticate users with Windows Radius server and
authentication with token
2) If authentication 1 failed, then user tries to connect on the SQL
database automatically.
 
  That's not really how RADIUS works.  If the user is rejected, you
can't turn that into an accept.
 
I've tried with post-auth section, post-proxy section...
 
Is it possible ? How can I do that.
 
  You can't.
 
  Instead, determine which users should use SQL, and which users should
authenticate via the Windows RADIUS server.  Then, make them do that.
 
  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238