Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT
Peter Drucker
druckers at gmail.com
Sun Jun 10 02:40:12 CEST 2018
Finally I've got my laptop to add more details.
My environment has multiple AD domains which will be replaced with a new
domain after the merger is complete. Until then, I've users coming from all
these various domains and my policy module will determine whether to
fall-through or not. Since my policy module also does some other things
that're configurable, I cannot completely eliminate it from the picture
and solely depend on the conditional fail-over supported by unlang.
I need the auth modules upon failure, to be able to invoke policy module
and decide whether to fail-over or not. So is it possible to do this using
the config file or I'll have to insert code in the mschap code which I
would like to avoid if possible.
What I'm trying to do is something like this. Obviously it's not working
with the error as:
/home/users/radius/raddb/sites-enabled/nac-server[63]: Subsection of module
instance call not allowed
/home/users/radius/raddb/sites-enabled/nac-server[62]: Failed to parse
"mschap" subsection.
authenticate {
Auth-Type MS-CHAP {
mschap { ==> line 62
if (notfound) { ==> line 63
policy {
if (handled) {
mschap
}
}
}
else if (reject) {
policy {
if (handled) {
mschap
}
}
}
}
}
}
On Sat, Jun 9, 2018 at 7:07 PM, Peter Drucker <druckers at gmail.com> wrote:
> Policy module determines which AD to use and then and mschap module uses
> the AD info to run ntlm_auth. The assumption being that "redundant" will
> unnecessarily iterates through each AD if I put all AD info in the config.
>
> If auth module fails authentication, policy module will determine whether
> the request should fall-through to another AD. If yes, then mschap can auth
> against the new AD.
>
> And if auth succeeds, then policy module can also determine the outbound
> values to send back to NAS.
>
>
> -Peter
>
> On Saturday, June 9, 2018, Alan Buxey <alan.buxey at gmail.com> wrote:
>
>> Hi
>>
>> What's the policy module doing? (Since you didn't share) and how is it
>> being called?
>> Auth-Type MS-CHAP {
>> mschap
>> }
>>
>> You just need to extend and change that bit, as documented in the module
>> failover section.
>>
>> alan
>>
>>
>> On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers at gmail.com> wrote:
>>
>> > Thanks for the quick response. I have a "policy" module that can
>> determine
>> > the AD to use for authentication as well as post-auth attributes to
>> send in
>> > the response.
>> >
>> > So I can't directly enter the AD in the authentication section. Here's a
>> > sample of my configuration.
>> >
>> > server nac-server {
>> > listen {
>> > type = auth
>> > ipaddr = 10.10.120.103
>> > port = 1812
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> >
>> > listen {
>> > type = acct
>> > ipaddr = 10.10.120.103
>> > port = 1813
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> >
>> >
>> > authorize {
>> > update control {
>> > Load-Balance-Key = "%{Calling-Station-Id}"
>> > }
>> > policy
>> > chap
>> > mschap
>> > eap {
>> > ok = return
>> > }
>> > pap
>> > }
>> > authenticate {
>> > Auth-Type PAP {
>> > pap
>> > }
>> > Auth-Type CHAP {
>> > chap
>> > }
>> > Auth-Type MS-CHAP {
>> > mschap
>> > }
>> > eap
>> > }
>> > preacct {
>> > acct_unique
>> > policy
>> > }
>> > accounting {
>> > policy
>> > }
>> > session {
>> > radutmp
>> > }
>> > post-auth {
>> > policy
>> > Post-Auth-Type REJECT {
>> > attr_filter.access_reject
>> > policy
>> > ok
>> > }
>> > }
>> > pre-proxy {
>> > policy
>> > }
>> > post-proxy {
>> > policy
>> > eap
>> > Post-Proxy-Type Fail-Authentication {
>> > policy
>> > }
>> > }
>> > }
>> >
>> > On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey at gmail.com>
>> wrote:
>> >
>> > > why so late in the process?
>> > >
>> > > just use another AD in the Authenticate section instead.... read the
>> > > unlang to see how you can call another mschap module
>> > > if the first one is failing...
>> > > (i've done this to transition from one AD to another).
>> > >
>> > > alan
>> > >
>> > > On 8 June 2018 at 21:14, Peter Drucker <druckers at gmail.com> wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > I'm looking for a different kind of fall-through.
>> > > >
>> > > > Is it possible for FreeRadius to fall-through to another Active
>> > > > Directory after Post-Auth-Type Reject?
>> > > >
>> > > > Thanks,
>> > > > Peter.
>> > > > -
>> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> > > > list/users.html
>> > > -
>> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> > > list/users.html
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
More information about the Freeradius-Users
mailing list