Post Auth and Logging Multiple MSCHAP modules

Alan DeKok aland at deployingradius.com
Mon Jun 5 16:45:55 CEST 2017


On Jun 5, 2017, at 10:16 AM, Arnab Roy <arnabroy at mail.com> wrote:
>   I have multiple MSCHAP definitions in my setup each pointing to
>   different ad domains and all is working well. The authenticate section
>   is defined as such
> 
>   Auth-Type MS-CHAP {
>                                                   mschap-a {
>                                                                   reject
>   =2
>                                                           }
>                                                           if(reject) {
> 
>   mschap-b
> 
>   reject=2
>                                                           }
>           }

  You *should* be deciding what domain to use up front, and then selecting the appropriate MS-CHAP module based on that.  That way, the "mschap-a" module doesn't get overloaded with requests which really should be for "mschap-b"

> 
>   Now I am trying to check in post auth if user authenticated via
>   mschap-a go to VLAN A(vsa) else goto VLAN B(vsa). What I cant figure
>   out is how do I reference these in the post auth block as if I try
>   looking for return code from the modules

  You decide which domain it is at the start, and use that to do VLAN assignment.

>   Also I need to log in linelog which mschap module authenticated the
>   user ?

  You decide which domain it is at the start, and use that in the logs.

  Alan DeKok.




More information about the Freeradius-Users mailing list