"redundant" block works in "default" virtual server, but does not work in "inner-tunnel"

Alan DeKok aland at deployingradius.com
Fri Mar 4 13:36:28 UTC 2022


On Mar 4, 2022, at 1:15 AM, Rahman Duran <rahman.duran at erzurum.edu.tr> wrote:
> So at least you know what I try to do. How can I achieve this then? I want
> to use multiple authentication sources, they can be users text file, sql or
> ldap, and there can be multiple of the same kind, multiple sql, multiple
> files, multiple ldap. User-Name should be searched in them sequentially and
> if the user is not found in any of them (noop for files, notfound for sql
> and ldap), I set the module failure message and reject the request here.

  That is completely the wrong approach.  It's a very bad idea to try many different things, and then pick the one which succeeds.   Instead, you should figure out where the users' data is located, and then use that.

  i.e. qualify the user names with different domains "user at example.com" versus "user at example.org".  This is a practice going back 20+ years.

  Where you can't do that, find some other method to distinguish users.  i.e. users coming from NAS1 are for ISP1 and database1, while users coming from NAS2 are for ISP2 and database2.

  Or maybe look at MAC addresses, and associate user accounts with MAC addresses.  So that when a user logs in, the combination of "user + MAC" is unique.

  The absolute worst thing you can do is to randomly try a bunch of databases, hoping that perhaps one will succeed.

  But since you didn't post the *full* debug output (which contains name, MAC, etc.), I can't offer any more specific advice.

> The problem is testing for "ok", "noop", "notfound" etc with a following
> unlang if condition is not working as expected everywhere.

  It works as *documented*.  If your expectations are different from how it works, then read the documentation and debug mode to see how it really works.

> So I am using
> "group" statements as I need to be sure I am checking the correct module
> return value.

  "group" doesn't change the return codes.  So it don't do what you think it does.

  If you must use multiple databases, you can't use "redundant".  The "redundant" keyword is for when one database *fails*.  i.e. it's *down*.  The "redundant" keyword isn't really good for trying multiple authentication types.

  You need to go back and understand the requirements.  You can't simply poke at the FreeRADIUS configuration until it works.  You have to understand what you're trying to do.  And once you understand that, the solution is usually simple.

  From the limited debug output you posted, it looks like users do have domain names associated with them.  So why not use that?

	if domain 1
		use ldap1
	else if domain 2
		use ldap2

  Why would it be any more complex than that?

  Alan DeKok.



More information about the Freeradius-Users mailing list