freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter
Peter.Jevos at oriflame.com
Wed Nov 10 16:58:11 CET 2010
Jevos, Peter wrote:
> How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?
Use the "Fall-Through" attribute. See comments in the default "users"
file.
> So if request comes from the 10.1.1.2 and user doesn’t pass through
> authentication, it should be forwarded to another DEFAULT ( with the
> vpn_auth_name authentication).
That is *completely* different from the previous question, and much
more difficult. The "users" file is only processed once, at the
"authorize" stage. You're asking for something else to happen if
authentication fails. i.e. when the "users" is no longer being processed.
A much better choice is to set the authentication type only once.
i.e. "if the user is in group X, do ntlm_auth. Otherwise, vpn_auth"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your answer Alan
Fall-through attribute doesn’t work in this case, cause it is “falling” all the time ( even though it matches the condition )
However, let’s think about this classic case: You have one router, with more profiles to connect ( different pools, dns, and so on )
Every profile should have its authentication against different AD group
So it is not possible to solve it through USERS file ?
Thanks
pet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101110/1a3ace0b/attachment.html>
More information about the Freeradius-Users
mailing list