In a nutshell: I'd like to like to proxy authentication requests to a Microsoft IAS server only if the attempt to first handle them locally has returned a REJECT.
Details: I have IAS properly configured to authenticate AD users. FreeRADIUS (1.0.1) is running on a Linux (Debian, kernel 2.4.26) box and can authenticate properly against a local LDAP server (default realm) or proxy the requests to the IAS server (ntdomain) realm. This configuration is working. If the request contains the username in ntdomain format (e.g. "domain\username"), it gets forwarded to the IAS server. If the username has no prefix/suffix (e.g. "username"), it gets handled locally. Again, the radtest util has confirmed that this configuration is working the way that I'm expecting. However, what I'd like to do is have the server attempt to handle this request locally. If the local authentication attempt results in a 'reject', I then would like to have this request proxied to the IAS server. I could reverse the order and have the request first proxied to the IAS server and then handled locally if it's rejected, but the majority of our users have local accounts so it makes sense to try the local system first. I would greatly appreciate any suggestions that can be offered. Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
