[EMAIL PROTECTED] wrote: > The basic issue is that we try to use the freeradius server to > authenticate users logging in via DSL (PPPoA/PPPoE). Especially if > a router connects to the broadband NAS via PPPoA (PPP over ATM), and > the RADIUS server sends an "Access-Reject" (i.e. wrong password, > user unknown, ...) the router tries to connect again and again, and > the NAS puts some dozens RADIUS requests per second (!) on the the > freeradius server.
I'd complain to your router vendor. That isn't a nice thing to do. > If we accepted (!) the "wrong" connections using an > IP filter to prevent the users to use Internet connectivity > and a session timer to make sure the "on-hold" session > expires after some minutes, this would be a reasonable > workaround. That sounds OK. > I have had a hard day looking at the freeradius configuration, > but I did not find any way to produce the following behaviour: > > * If the user is in the LDAP database (and the password is > correct), take the LDAP attributes and send "Access-Accept" > > * If not, send some standard attributes. What you want is module fail-over. See 'doc/configurable_failover' Do authorization && authentication through the ldap module. Then if the user isn't found in ldap, you can do a configurable fail-over to the 'files'. module. I don't have examples handy, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
