Users randomly rejected when no connection with remote domain controllers

[Alan DeKok]

On Sep 6, 2024, at 8:42 AM, Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
> 
> Citando Alan DeKok <aland at deployingradius.com>:
> 
>>  The domain controllers are giving LDAP referrals to systems on the other side of the VPN.  When the VPN is down, those systems are unreachable.
> 
> Wouldn't this prevent the users from authenticate at all when VPN is down? Most of the time they can authenticate, but sometimes are rejected in a batch and then can authenticate agai

  Put it down to "magic in Active Directory".

  Whatever is gong on, the results are clear: this isn't FreeRADIUS.  FreeRADIUS uses ntlm_auth to talk to Samba, and Samba talks with Active Directory.  When something goes wrong, the problem is in ntlm_auth / Samba / Active Directory.

  No amount of poking FreeRADIUS will fix this issue.

  If the issue is that Active Directory malfunctions when the VPN is down, then the solution is simple:

a) keep the VPN up

b) fix Active Directory so that it doesn't break when the VPN goes down.

> I am not the domain admin. All the campuses have the same AD server configuration as mine, the main campus IT staff gave us these servers already configured and we can't even login in them.
> 
> A thing to mention is that other campuses uses NPS or ISE as NAC and don't have this problem when VPN is down.

  Then the issue is either Samba or AD.

> My campus is the only one using freeradius, that's why I thought that this could be a configuration error in my freeradius.

  There is no configuration in FreeRADIUS which says "make ntlm_auth fail when the VPN is down".

  Alan DeKok.