Hi,
There is a little problem I'd like to share with you,
maybe someone has come along this already. The basic
issue is that we try to use the freeradius server to
authenticate users logging in via DSL (PPPoA/PPPoE).
Especially if a router connects to the broadband NAS
via PPPoA (PPP over ATM), and the RADIUS server sends
an "Access-Reject" (i.e. wrong password, user unknown, ...)
the router tries to connect again and again, and the
NAS puts some dozens RADIUS requests per second (!)
on the the freeradius server.
We did not find any option on the NAS to tell it to
stop flooding the RADIUS server in case of Access-Rejects,
so we had the following idea:
If we accepted (!) the "wrong" connections using an
IP filter to prevent the users to use Internet connectivity
and a session timer to make sure the "on-hold" session
expires after some minutes, this would be a reasonable
workaround.
I have had a hard day looking at the freeradius configuration,
but I did not find any way to produce the following behaviour:
* If the user is in the LDAP database (and the password is
correct), take the LDAP attributes and send "Access-Accept"
* If not, send some standard attributes.
I have the following users file which doesn't do the job,
since the first DEFAULT entry is always taken, and if the
user does not authenticate via LDAP, the second one is not
taken into account:
# LDAP - most attributes come out of the LDAP database
DEFAULT Auth-Type := LDAP
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
DEFAULT Auth-Type := Accept
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Filter-Id = "diabled",
Session-Timer = 600
on the other hand, the "Fall-Through = yes" does not work
here, because I want no fall-through if the user is a valid
LDAP user.
Has anyone an idea on this issue?
Thanks in advance,
Roland
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
