How to forward a request rejected by a proxy RADIUS server to another LDAP server?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jun 5 10:53:19 CEST 2007
Clark J. Wang wrote:
> I've configured a proxy RADIUS server in `proxy.conf' and an LDAP server
> in `radiusd.conf' and they work well. I want to forward those requests
> rejected by the proxy RADIUS server to the LDAP server and
> re-authenticate them again. Can I do that in FreeRADIUS? And how?
Can't be done.
The main reason it hasn't been implemented is that many Radius auth
algorithms e.g. EAP involve multiple exchanges. You can't just "break
into" the middle of a conversation.
In principle it could be done for PAP, and I think CHAP and MS-CHAP. At
the moment the easiest way would be to use an Exec-Program and radclient
to issue the request to the proxy, and if it fails do the LDAP.
Frequently when people ask to do this it's because most of their users
live in a remote server but some live in an LDAP server. If that's the
case, you can solve the problem other ways.
More information about the Freeradius-Users
mailing list