freeradius and Cisco VPN IPSEC profiles authentication

Jevos, Peter Peter.Jevos at
Wed Nov 10 16:58:11 CET 2010

Jevos, Peter wrote:

> How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?


  Use the "Fall-Through" attribute.  See comments in the default "users"



> So if request comes from the and user doesn’t pass through

> authentication, it should be forwarded to another DEFAULT ( with the

> vpn_auth_name authentication).


  That is *completely* different from the previous question, and much

more difficult.  The "users" file is only processed once, at the

"authorize" stage.  You're asking for something else to happen if

authentication fails.  i.e. when the "users" is no longer being processed.


  A much better choice is to set the authentication type only once.

i.e. "if the user is in group X, do ntlm_auth.  Otherwise, vpn_auth"


  Alan DeKok.


List info/subscribe/unsubscribe? See


Thanks for your answer Alan

Fall-through attribute doesn’t work in this case, cause it is “falling” all the time ( even though it matches the condition )


However, let’s think about this classic case: You have one router, with more profiles to connect ( different pools, dns, and so on )

Every profile should have its authentication against different AD group

So it is not possible to solve it through USERS file ?







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list