Rachel Primrose wrote:
So, here is the order of operations:
1. User is trying to log in with user@realm.com
2. The LNS first tries to authenticate the realm. It sends through an access request packet to our radius server with User-Name=realm.com, Service-Type=Dialout-Framed-User and Password = cisco. For certain realms only, we want to accept the request, and pass back some cisco specific attributes. For the rest of the realms, we want to just reject the request.
So configure that: DEFAULT Service-Type == Dialout-Framed-User, User-Name != "realm.com", Auth-Type := Reject This goes at the *top* of the "users" file.
3a. If the LNS gets an accept packet back with cisco attributes, it forwards an access request with user@realm.com to a third party LNS.
And configure an entry AFTER the one above, replying with the appropriate Cisco attributes: realm.com Service-Type == Dialout-Framed-User, User-Password == "cisco", Auth-Type := Accept cisco stuff Fall-Through = No
3b. If the LNS gets a reject packet back, it will then send an access request packet to our radius server with User-Name = user@realm.com, Service-Type=Framed-User and Password = user-provided password.
4. We then authenticate/authorize against an ldap server, hence the term ldap_user.
Then list "ldap" after "file" in the "authorize" section. Also list "ldap" in the authenticate section.
By conditionally run, I mean when the first access request packet with just the realm arrives and is rejected, we do not want to log it in the Post-Auth-Type REJECT section.
It's difficult to do that in 1.1.x. Alan DeKok.