Post Auth and Logging Multiple MSCHAP modules
Arnab Roy
arnabroy at mail.com
Mon Jun 5 16:56:33 CEST 2017
Thanks Alan, that would be my preference as well. Unfortunately we can
get some users who do not put in domain prefix/suffix...
So basically there isnt a way we can find out in that case ?
Sent: Monday, June 05, 2017 at 3:45 PM
From: "Alan DeKok" <aland at deployingradius.com>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Subject: Re: Post Auth and Logging Multiple MSCHAP modules
On Jun 5, 2017, at 10:16 AM, Arnab Roy <arnabroy at mail.com> wrote:
> I have multiple MSCHAP definitions in my setup each pointing to
> different ad domains and all is working well. The authenticate
section
> is defined as such
>
> Auth-Type MS-CHAP {
> mschap-a {
> reject
> =2
> }
> if(reject) {
>
> mschap-b
>
> reject=2
> }
> }
You *should* be deciding what domain to use up front, and then
selecting the appropriate MS-CHAP module based on that. That way, the
"mschap-a" module doesn't get overloaded with requests which really
should be for "mschap-b"
>
> Now I am trying to check in post auth if user authenticated via
> mschap-a go to VLAN A(vsa) else goto VLAN B(vsa). What I cant figure
> out is how do I reference these in the post auth block as if I try
> looking for return code from the modules
You decide which domain it is at the start, and use that to do VLAN
assignment.
> Also I need to log in linelog which mschap module authenticated the
> user ?
You decide which domain it is at the start, and use that in the logs.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html
References
1. http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list