Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT
Peter Drucker
druckers at gmail.com
Sat Jun 9 04:44:24 CEST 2018
Thanks for the quick response. I have a "policy" module that can determine
the AD to use for authentication as well as post-auth attributes to send in
the response.
So I can't directly enter the AD in the authentication section. Here's a
sample of my configuration.
server nac-server {
listen {
type = auth
ipaddr = 10.10.120.103
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = acct
ipaddr = 10.10.120.103
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
update control {
Load-Balance-Key = "%{Calling-Station-Id}"
}
policy
chap
mschap
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
acct_unique
policy
}
accounting {
policy
}
session {
radutmp
}
post-auth {
policy
Post-Auth-Type REJECT {
attr_filter.access_reject
policy
ok
}
}
pre-proxy {
policy
}
post-proxy {
policy
eap
Post-Proxy-Type Fail-Authentication {
policy
}
}
}
On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> why so late in the process?
>
> just use another AD in the Authenticate section instead.... read the
> unlang to see how you can call another mschap module
> if the first one is failing...
> (i've done this to transition from one AD to another).
>
> alan
>
> On 8 June 2018 at 21:14, Peter Drucker <druckers at gmail.com> wrote:
>
> > Hi,
> >
> > I'm looking for a different kind of fall-through.
> >
> > Is it possible for FreeRadius to fall-through to another Active
> > Directory after Post-Auth-Type Reject?
> >
> > Thanks,
> > Peter.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list