freeradius and Cisco VPN IPSEC profiles authentication

Jevos, Peter Peter.Jevos at oriflame.com
Wed Nov 10 16:58:11 CET 2010


Jevos, Peter wrote:

> How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?

 

  Use the "Fall-Through" attribute.  See comments in the default "users"

file.

 

> So if request comes from the 10.1.1.2 and user doesn’t pass through

> authentication, it should be forwarded to another DEFAULT ( with the

> vpn_auth_name authentication).

 

  That is *completely* different from the previous question, and much

more difficult.  The "users" file is only processed once, at the

"authorize" stage.  You're asking for something else to happen if

authentication fails.  i.e. when the "users" is no longer being processed.

 

  A much better choice is to set the authentication type only once.

i.e. "if the user is in group X, do ntlm_auth.  Otherwise, vpn_auth"

 

  Alan DeKok.

-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

Thanks for your answer Alan

Fall-through attribute doesn’t work in this case, cause it is “falling” all the time ( even though it matches the condition )

 

However, let’s think about this classic case: You have one router, with more profiles to connect ( different pools, dns, and so on )

Every profile should have its authentication against different AD group

So it is not possible to solve it through USERS file ?

 

Thanks

 

pet

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101110/1a3ace0b/attachment.html>


More information about the Freeradius-Users mailing list