Alan, it worked just like you said it would. You are the man! Thank you. my config : authorize { update control { Ldap-UserDN := "%{User-Name}@domain.com" } ldap.authenticate # run user authentication by LDAP bind if (ok) { update request { # Trigger push notification by sending 'p' for password value User-Password := p } update control { # send to SafeNet Authentication Service Proxy-To-Realm := "proxy-test" } } } authenticate { } pre-proxy { # Enable pre-proxy to filter State attribute from proxied requests: attr_filter.pre-proxy } On Wed, Jan 9, 2019 at 5:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom@mustaki.com> wrote:
Alan, Thank you for the information. sadly i couldn't accomplish it.
What does that mean? What error did you get when you tried my suggestion?
Saying "stuff didn't work" is not overly helpful.
i have played a little with the configuration and got it partially working. i noticed a bug, in which, even if radius server is down, access is granted..
Because you told it to do that.
can someone identify the bug for me and explain how to modify the script to correct it? ... authenticate { Auth-Type LDAP { # Attempt authentication with a direct LDAP bind: ldap if (ok) { update request { User-Password := p } update control { Proxy-To-Realm := "proxy-test" }
That won't work. The server EITHER runs the "authenticate" section, OR it proxies. It can't do both.
accept
That's an unconditional "accept the user". Which is why it unconditionally accepts the user.
My suggestion should work:
authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... }
That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase. That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication.
If that doesn't work, say WHY it doesn't work. Show the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html