Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT

Alan Buxey alan.buxey at gmail.com
Sat Jun 9 12:58:22 CEST 2018 

Hi

What's the policy module doing? (Since you didn't share) and how is it
being called?
    Auth-Type MS-CHAP {
            mschap
        }

You just need to extend and change that bit, as documented in the module
failover section.

alan


On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers at gmail.com> wrote:

> Thanks for the quick response. I have a "policy" module that can determine
> the AD to use for authentication as well as post-auth attributes to send in
> the response.
>
> So I can't directly enter the AD in the authentication section. Here's a
> sample of my configuration.
>
> server nac-server {
>         listen {
>         type = auth
>         ipaddr = 10.10.120.103
>         port = 1812
>         limit {
>               max_connections = 16
>               lifetime = 0
>               idle_timeout = 30
>         }
>     }
>
>     listen {
>         type = acct
>         ipaddr = 10.10.120.103
>         port = 1813
>         limit {
>               max_connections = 16
>               lifetime = 0
>               idle_timeout = 30
>         }
>     }
>
>
>     authorize {
>         update control {
>             Load-Balance-Key = "%{Calling-Station-Id}"
>         }
>         policy
>         chap
>         mschap
>         eap {
>             ok = return
>         }
>         pap
>     }
>     authenticate {
>         Auth-Type PAP {
>             pap
>         }
>         Auth-Type CHAP {
>             chap
>         }
>         Auth-Type MS-CHAP {
>             mschap
>         }
>         eap
>     }
>     preacct {
>         acct_unique
>         policy
>     }
>     accounting {
>         policy
>     }
>     session {
>         radutmp
>     }
>     post-auth {
>         policy
>         Post-Auth-Type REJECT {
>             attr_filter.access_reject
>                     policy
>                     ok
>         }
>     }
>     pre-proxy {
>             policy
>     }
>     post-proxy {
>         policy
>         eap
>         Post-Proxy-Type Fail-Authentication {
>             policy
>         }
>     }
> }
>
> On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>
> > why so late in the process?
> >
> > just use another AD in the Authenticate section instead....  read the
> > unlang to see how you can call another mschap module
> > if the first one is failing...
> > (i've done this to transition from one AD to another).
> >
> > alan
> >
> > On 8 June 2018 at 21:14, Peter Drucker <druckers at gmail.com> wrote:
> >
> > > Hi,
> > >
> > >    I'm looking for a different kind of fall-through.
> > >
> > >    Is it possible for FreeRadius to fall-through to another Active
> > > Directory after Post-Auth-Type Reject?
> > >
> > > Thanks,
> > > Peter.
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list