Hello, How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password. In my scenario, the primary is up and servicing requests, but the password for the device is incorrect. Now the device looks to the secondary to get authorized and the secondary holds the correct secret for the device. I have looked at fail-over and load-balancing but am not sure if either of these are what I am looking for. Can someone tell me what I am looking for and I can do the rest. Thanks for any help, Jon
From Cisco IOS Doc <http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html#wp1000967> "A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list."
Vijay Avarachen On Feb 5, 2008 4:57 PM, <jonr@destar.net> wrote:
Hello,
How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password. In my scenario, the primary is up and servicing requests, but the password for the device is incorrect. Now the device looks to the secondary to get authorized and the secondary holds the correct secret for the device.
I have looked at fail-over and load-balancing but am not sure if either of these are what I am looking for. Can someone tell me what I am looking for and I can do the rest.
Thanks for any help,
Jon
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- "Knowledge is the only wealth that grows as you spend it, and diminishes as you save it." -- ancient Sanskrit saying
Quoting Vijay Avarachen <vavarachen@gmail.com>:
From Cisco IOS Doc <http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html#wp1000967> "A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list."
Vijay Avarachen
Thanks Vijay, that answers that. Jon
jonr@destar.net wrote:
How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password.
In 2.0.1, you should be able to do: authenticate { ... Auth-Type pap { pap if (reject) { update control { Proxy-To-Realm := "realm" } ok } } ... } Alan DeKok.
Alan DeKok schrieb:
jonr@destar.net wrote:
How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password.
In 2.0.1, you should be able to do:
authenticate { ... Auth-Type pap { pap if (reject) { update control { Proxy-To-Realm := "realm" } ok } } ... }
Should this kind of mechanism in 2.0.1 also be able to do something similar for eap? In case I have this debug output: Wed Feb 6 14:14:40 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_expired ^M Wed Feb 6 14:14:40 2008 : Error: TLS Alert write:fatal:certificate expired ^M Wed Feb 6 14:14:40 2008 : Error: TLS_accept:error in SSLv3 read client certificate B ^M Wed Feb 6 14:14:40 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned^M Wed Feb 6 14:14:40 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.^M Wed Feb 6 14:14:40 2008 : Debug: eaptls_process returned 13 ^M Wed Feb 6 14:14:40 2008 : Debug: rlm_eap: Freeing handler^M Wed Feb 6 14:14:40 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9^M Wed Feb 6 14:14:40 2008 : Debug: ++[eap] returns reject^M I would like to send more information than simply "reject" to radpostauth, something like: Certificate error Auth-Type eap { eap if (reject) { update control { Module-Failure-Message := "Certificate error" } } reject } } and in radiusd.conf: Post-Auth = "INSERT INTO ${postauth_table} ....values (... '%{control:Module-Failure-Message}',.. ) This does not work for me. Is it expected to do what I want and I have a configuration error? Or is this not the right way to do this? If it should work: What's the fault here? Thanks Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
Should this kind of mechanism in 2.0.1 also be able to do something similar for eap?
I don't see why not. ...
This does not work for me. Is it expected to do what I want and I have a configuration error? Or is this not the right way to do this? If it should work: What's the fault here?
And the full debug output with that configuration is... ? Alan DeKok.
Alan DeKok wrote:
Norbert Wegener wrote:
Should this kind of mechanism in 2.0.1 also be able to do something similar for eap?
I don't see why not.
Fine
...
This does not work for me. Is it expected to do what I want and I have a configuration error? Or is this not the right way to do this? If it should work: What's the fault here?
And the full debug output with that configuration is... ?
your answer lets me assume, the problem is with my configuration :-( The output is at http : //www.wegener-net.de/freeradius/typescript (had to destroy the link, as the mailinglist software does not seem to like that any more) Norbert Wegener
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
your answer lets me assume, the problem is with my configuration :-( The output is at http : //www.wegener-net.de/freeradius/typescript
Wed Feb 6 18:02:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_expired Wed Feb 6 18:02:23 2008 : Error: TLS Alert write:fatal:certificate expired Expired certificates can't be used for authentication. Editing radiusd.conf won't fix this. :) Alan DeKok.
Alan DeKok schrieb:
Norbert Wegener wrote:
your answer lets me assume, the problem is with my configuration :-( The output is at http : //www.wegener-net.de/freeradius/typescript
Wed Feb 6 18:02:23 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_expired Wed Feb 6 18:02:23 2008 : Error: TLS Alert write:fatal:certificate expired
Expired certificates can't be used for authentication. Editing radiusd.conf won't fix this. :)
Accepted. But it would be helpful for a service desk to know that an expired certificate was the reason to refuse access. My intention was to provide this information in radpostauth. It seems, this cannot be achived the way I tried. Is there another way to go for this? Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
But it would be helpful for a service desk to know that an expired certificate was the reason to refuse access. My intention was to provide this information in radpostauth. It seems, this cannot be achived the way I tried. Is there another way to go for this?
The code would have to be updated to look for one of many OpenSSL error messages, and then log it. Logging a "certificate expired" message would be useful, I admit... Alan DeKok.
participants (4)
-
Alan DeKok -
jonr@destar.net -
Norbert Wegener -
Vijay Avarachen