Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT
Peter Drucker
druckers at gmail.com
Sun Jun 10 05:01:04 CEST 2018
This is what I want to 'happen':
if any of the 'authenticate' modules 'reject' or 'notfound',
check is 'policy' module says 'handled'.
If it says 'handled', then
- retry 'authentication' with fall-through AD.
- 'fall-through' AD info is supplied by 'policy' module.
If 'policy' module says 'reject'
- come out of 'authenticate'
On Sat, Jun 9, 2018 at 10:43 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Jun 9, 2018, at 8:40 PM, Peter Drucker <druckers at gmail.com> wrote:
> > What I'm trying to do is something like this. Obviously it's not working
> > with the error as:
> >
> > /home/users/radius/raddb/sites-enabled/nac-server[63]: Subsection of
> module
> > instance call not allowed
> > /home/users/radius/raddb/sites-enabled/nac-server[62]: Failed to parse
> > "mschap" subsection.
>
> See "man unlang". You can't just out random things in the config and
> expect them to do what you want.
>
> >
> > authenticate {
> > Auth-Type MS-CHAP {
> > mschap { ==> line 62
>
> mschap is a module. If you do "mschap { ...}" the *only* allowed
> contents of the {...} block are failure codes and priorities.
>
>
> > if (notfound) { ==> line 63
>
> Instead of explaining what you've done, maybe you can explain what
> you're trying to do. i.e. what you *want* to happen.
>
> > policy {
> > if (handled) {
> > mschap
>
> So "mschap" is inside of the "mschap" section?
>
> That doesn't make sense...
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list