Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT

Peter Drucker druckers at gmail.com
Sun Jun 10 01:07:54 CEST 2018


Policy module determines which AD to use and then and mschap module uses
the AD info to run ntlm_auth. The assumption being that "redundant" will
unnecessarily iterates through each AD if I put all AD info in the config.

If auth module fails authentication, policy module will determine whether
the request should fall-through to another AD. If yes, then mschap can auth
against the new AD.

And if auth succeeds, then policy module can also determine the outbound
values to send back to NAS.


-Peter

On Saturday, June 9, 2018, Alan Buxey <alan.buxey at gmail.com> wrote:

> Hi
>
> What's the policy module doing? (Since you didn't share) and how is it
> being called?
>     Auth-Type MS-CHAP {
>             mschap
>         }
>
> You just need to extend and change that bit, as documented in the module
> failover section.
>
> alan
>
>
> On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers at gmail.com> wrote:
>
> > Thanks for the quick response. I have a "policy" module that can
> determine
> > the AD to use for authentication as well as post-auth attributes to send
> in
> > the response.
> >
> > So I can't directly enter the AD in the authentication section. Here's a
> > sample of my configuration.
> >
> > server nac-server {
> >         listen {
> >         type = auth
> >         ipaddr = 10.10.120.103
> >         port = 1812
> >         limit {
> >               max_connections = 16
> >               lifetime = 0
> >               idle_timeout = 30
> >         }
> >     }
> >
> >     listen {
> >         type = acct
> >         ipaddr = 10.10.120.103
> >         port = 1813
> >         limit {
> >               max_connections = 16
> >               lifetime = 0
> >               idle_timeout = 30
> >         }
> >     }
> >
> >
> >     authorize {
> >         update control {
> >             Load-Balance-Key = "%{Calling-Station-Id}"
> >         }
> >         policy
> >         chap
> >         mschap
> >         eap {
> >             ok = return
> >         }
> >         pap
> >     }
> >     authenticate {
> >         Auth-Type PAP {
> >             pap
> >         }
> >         Auth-Type CHAP {
> >             chap
> >         }
> >         Auth-Type MS-CHAP {
> >             mschap
> >         }
> >         eap
> >     }
> >     preacct {
> >         acct_unique
> >         policy
> >     }
> >     accounting {
> >         policy
> >     }
> >     session {
> >         radutmp
> >     }
> >     post-auth {
> >         policy
> >         Post-Auth-Type REJECT {
> >             attr_filter.access_reject
> >                     policy
> >                     ok
> >         }
> >     }
> >     pre-proxy {
> >             policy
> >     }
> >     post-proxy {
> >         policy
> >         eap
> >         Post-Proxy-Type Fail-Authentication {
> >             policy
> >         }
> >     }
> > }
> >
> > On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> >
> > > why so late in the process?
> > >
> > > just use another AD in the Authenticate section instead....  read the
> > > unlang to see how you can call another mschap module
> > > if the first one is failing...
> > > (i've done this to transition from one AD to another).
> > >
> > > alan
> > >
> > > On 8 June 2018 at 21:14, Peter Drucker <druckers at gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > >    I'm looking for a different kind of fall-through.
> > > >
> > > >    Is it possible for FreeRadius to fall-through to another Active
> > > > Directory after Post-Auth-Type Reject?
> > > >
> > > > Thanks,
> > > > Peter.
> > > > -
> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > > list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list