Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT

Peter Drucker druckers at gmail.com
Mon Jun 11 04:31:34 CEST 2018


On Sun, Jun 10, 2018 at 12:39 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 9, 2018, at 11:01 PM, Peter Drucker <druckers at gmail.com> wrote:
> >
> > This is what I want to 'happen':
> >
> > if any of the 'authenticate' modules 'reject' or 'notfound',
> >              check is 'policy' module says 'handled'.
> >              If it says 'handled', then
> >                  - retry 'authentication' with fall-through AD.
> >                  - 'fall-through' AD info is supplied by 'policy' module.
>
> >  How?  AD queries are done via ntlm_auth, or via the winbind module.
> What "info" is being supplied here?
>


> Yes, we use ntlm_auth and the AD domain info is passed dynamically.



> >              If 'policy' module says 'reject'
> >                  - come out of 'authenticate'
>
> >  The main issue there is that modules like MS-CHAP will return MS-CHAP
> error attributes.  So you can't just "fall through" to trying something
> else.  You also need to delete the MS-CHAP error attributes.
>


> Yes, this is the issue that I noticed when I tried to call
> 'rad_authenticate()' again in 'Post-Auth REJECT' work flow.



> >  Honestly, it's always better to do the right thing, and only the right
> thing.  It's bad to do something wrong, and then try to do the right thing.
>
> >  So *why* are you failing over to a different AD server?  Why not just
> try that AD server in the first place?
>
>    I have few AD servers at this time with some data being synchronized
but not all. So I've few users common between these AD's but I also have
some servers info that's not yet synchronized. So instead of simply using
redundant to automatically fall-through, I would like this to be
configurable based on some other characteristics from the policy module.



> >  If you want to catch the "reject" return code from a module, read this
> page:
>
> >   https://github.com/FreeRADIUS/freeradius-server/
> blob/v3.0.x/doc/configuration/configurable_failover.rst
>
> >  It has examples for how to do configurable failover.
>
>     I tried this.
    authenticate {
        Auth-Type MS-CHAP {
            mschap
            if (reject)
                policy
                reject = return
        }

      I can see mschap returning reject, but it's not honoring the if
condition. Does it only handle just the return codes and not the 'if'
statement in authenticate flow?

  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>


More information about the Freeradius-Users mailing list