Post-Auth REJECT - conditional sql
Alan DeKok
aland at deployingradius.com
Thu Nov 15 09:33:14 CET 2007
Rachel Primrose wrote:
> So, here is the order of operations:
>
> 1. User is trying to log in with user at realm.com
>
> 2. The LNS first tries to authenticate the realm. It sends through
> an access request packet to our radius server with
> User-Name=realm.com, Service-Type=Dialout-Framed-User and Password =
> cisco.
> For certain realms only, we want to accept the request, and pass back
> some cisco specific attributes. For the rest of the realms, we want
> to just reject the request.
So configure that:
DEFAULT Service-Type == Dialout-Framed-User, User-Name != "realm.com",
Auth-Type := Reject
This goes at the *top* of the "users" file.
> 3a. If the LNS gets an accept packet back with cisco attributes, it
> forwards an access request with user at realm.com to a third party LNS.
And configure an entry AFTER the one above, replying with the
appropriate Cisco attributes:
realm.com Service-Type == Dialout-Framed-User, User-Password == "cisco",
Auth-Type := Accept
cisco stuff
Fall-Through = No
> 3b. If the LNS gets a reject packet back, it will then send an access
> request packet to our radius server with User-Name = user at realm.com,
> Service-Type=Framed-User and Password = user-provided password.
>
> 4. We then authenticate/authorize against an ldap server, hence the
> term ldap_user.
Then list "ldap" after "file" in the "authorize" section. Also list
"ldap" in the authenticate section.
> By conditionally run, I mean when the first access request packet with
> just the realm arrives and is rejected, we do not want to log it in
> the Post-Auth-Type REJECT section.
It's difficult to do that in 1.1.x.
Alan DeKok.
More information about the Freeradius-Users
mailing list