Concatenation of authentication

Stefan Paetow Stefan.Paetow at
Wed May 7 18:00:59 CEST 2014

Hi Jérôme,

How will you know if the user has lost his token? Presumably they would show up in the SQL database, yes? And when they are issued a new one, you remove them from the SQL database, correct?

If that is the case, you should now think in reverse:

1.       If the user shows up in the SQL database, don't bother with the token because the token is stolen/lost.

2.       If the user does NOT show up in the SQL database, use standard authentication

However, you *MUST* familiarise yourself with the following URL:

It maps which authentication methods can be used with which password storage mechanism. If your user is going to have to be able to authenticate against a SQL database or Active Directory for example, your SQL database has to store the NTLM hash of his/her password.

The authorize section should allow you to check whether the user exists in the SQL table or not, and if they do, retrieve the password value (you will have to write the queries to do this though). You can use 'unlang' to do that.

What Alan D is saying though is that there is no 'fallback' mechanism like some other authentication services have (like CAS, but that's another story).


From: at [ at] On Behalf Of Jérôme MATER
Sent: 07 May 2014 16:34
To: FreeRadius users mailing list
Subject: Re: Concatenation of authentication

Hi Alan,

Thanks for your answer.

There 4000 users! And the priority is the authentication with token.
SQL database should be use only if  a user loses his token.

The solution would be to have 2 freeradius, one for token authentication and the other one for SQL database ?


Le 07/05/2014 13:14, Alan DeKok a écrit :

Jérôme MATER wrote:

I have made both configurations and it works separately. However, the

goal is :

1) I want to authenticate users with Windows Radius server and

authentication with token

2) If authentication 1 failed, then user tries to connect on the SQL

database automatically.

  That's not really how RADIUS works.  If the user is rejected, you

can't turn that into an accept.

I've tried with post-auth section, post-proxy section...

Is it possible ? How can I do that.

  You can't.

  Instead, determine which users should use SQL, and which users should

authenticate via the Windows RADIUS server.  Then, make them do that.

  Alan DeKok.


List info/subscribe/unsubscribe? See

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list