Post-Auth REJECT - conditional sql

Rachel Primrose rachel.primrose at gmail.com
Thu Nov 15 20:18:04 CET 2007


Thanks Alan.

Looks like we'll be implementing a solution in the database then.

 - Rachel

On Nov 15, 2007 9:33 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Rachel Primrose wrote:
> > So, here is the order of operations:
> >
> > 1.  User is trying to log in with user at realm.com
> >
> > 2.  The LNS first tries to authenticate the realm.  It sends through
> > an access request packet to our radius server with
> > User-Name=realm.com, Service-Type=Dialout-Framed-User and Password =
> > cisco.
> > For certain realms only, we want to accept the request, and pass back
> > some cisco specific attributes.  For the rest of the realms, we want
> > to just reject the request.
>
>   So configure that:
>
> DEFAULT Service-Type == Dialout-Framed-User, User-Name != "realm.com",
> Auth-Type := Reject
>
>   This goes at the *top* of the "users" file.
>
> > 3a.  If the LNS gets an accept packet back with cisco attributes, it
> > forwards an access request with user at realm.com to a third party LNS.
>
>   And configure an entry AFTER the one above, replying with the
> appropriate Cisco attributes:
>
> realm.com Service-Type == Dialout-Framed-User, User-Password == "cisco",
> Auth-Type := Accept
>         cisco stuff
>         Fall-Through = No
>
> > 3b.  If the LNS gets a reject packet back, it will then send an access
> > request packet to our radius server with User-Name = user at realm.com,
> > Service-Type=Framed-User and Password = user-provided password.
> >
> > 4.  We then authenticate/authorize against an ldap server, hence the
> > term ldap_user.
>
>    Then list "ldap" after "file" in the "authorize" section.  Also list
> "ldap" in the authenticate section.
>
> > By conditionally run, I mean when the first access request packet with
> > just the realm arrives and is rejected, we do not want to log it in
> > the Post-Auth-Type REJECT section.
>
>   It's difficult to do that in 1.1.x.
>
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list