In a nutshell: I'd like to like to proxy authentication requests to a Microsoft IAS server only if the attempt to first handle them locally has returned a REJECT. Details: I have IAS properly configured to authenticate AD users. FreeRADIUS (1.0.1) is running on a Linux (Debian, kernel 2.4.26) box and can authenticate properly against a local LDAP server (default realm) or proxy the requests to the IAS server (ntdomain) realm. This configuration is working. If the request contains the username in ntdomain format (e.g. "domain\username"), it gets forwarded to the IAS server. If the username has no prefix/suffix (e.g. "username"), it gets handled locally. Again, the radtest util has confirmed that this configuration is working the way that I'm expecting. However, what I'd like to do is have the server attempt to handle this request locally. If the local authentication attempt results in a 'reject', I then would like to have this request proxied to the IAS server. I could reverse the order and have the request first proxied to the IAS server and then handled locally if it's rejected, but the majority of our users have local accounts so it makes sense to try the local system first. I would greatly appreciate any suggestions that can be offered. Bryan
"Woods, Bryan" <Bryan.Woods@pomona.k12.ca.us> wrote:
In a nutshell: I'd like to like to proxy authentication requests to a Microsoft IAS server only if the attempt to first handle them locally has returned a REJECT.
It requires a bit of code changes, but it's possible. Hmm... edit src/modules/rlm_files.c, and add an "authenticate" section, copied from one of the other sections. Maybe this can go into 1.0.5, as it's a pretty small change. Alan DeKok.
participants (2)
-
Alan DeKok -
Woods, Bryan