Proxy on Fail.. Or intelligent proxy...Or Utilize multiple acocunt directories

Harry Hoffman hhoffman at
Tue Feb 9 15:09:05 CET 2010

Hi Larry,

I am doing this same thing...

I've modified the PAP and LDAP sections, in 
/etc/raddb/sites-enabled/{default,inner-tunnel}, to do this and it works 

authenticate {

         #  PAP authentication, when a back-end database listed
         #  in the 'authorize' section supplies a password.  The
         #  password can be clear-text, or encrypted.
         Auth-Type PAP {
                                 reject = 1
                                 ok = return
                                 reject = 1
                                 ok = return


I do the same for Auth-Type LDAP.

Hope this helps.


On 02/08/2010 09:42 PM, Alan DeKok wrote:
> Larry Ross wrote:
>> I am looking at configuring FR to Auth accounts across multiple account
>> directories.  Basically I would like FR to take in PAP queries, attempt
>> Auth against krb, then if that comes back as a fail, try a secondary
>> Radius server (Eduroam…) or module (Shibboleth).
>    That's hard.
>> We are looking at this as we foresee collisions occurring between
>> accounts residing within other universities and our local guest accounts
>> (which use email address as the principal).
>    The simple answer is "don't have colliding usernames".
>    Use email addresses for logins, *especially* for roaming users from
> other universities.
>    Having colliding usernames is very bad for a number of reasons.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list