Proxy, only if local auth fails?

Woods, Bryan Bryan.Woods at
Tue Jul 5 19:25:36 CEST 2005

In a nutshell:  I'd like to like to proxy authentication requests to a
Microsoft IAS server only if the attempt to first handle them locally has
returned a REJECT.

Details:  I have IAS properly configured to authenticate AD users.
FreeRADIUS (1.0.1) is running on a Linux (Debian, kernel 2.4.26) box and can
authenticate properly against a local LDAP server (default realm) or proxy
the requests to the IAS server (ntdomain) realm.  This configuration is

If the request contains the username in ntdomain format (e.g.
"domain\username"), it gets forwarded to the IAS server.  If the username
has no prefix/suffix (e.g. "username"), it gets handled locally.  Again, the
radtest util has confirmed that this configuration is working the way that
I'm expecting.

However, what I'd like to do is have the server attempt to handle this
request locally.  If the local authentication attempt results in a 'reject',
I then would like to have this request proxied to the IAS server.  I could
reverse the order and have the request first proxied to the IAS server and
then handled locally if it's rejected, but the majority of our users have
local accounts so it makes sense to try the local system first.

I would greatly appreciate any suggestions that can be offered.


More information about the Freeradius-Users mailing list