Eric Martell <[EMAIL PROTECTED]> wrote: > Thanks so much Neal. You got it 95% right. The problem > is FreeRadius always authorize first (no matter what > the order in radiusd.conf) and then authenticate.
Yes, that's how the server works. > (****This authorize should break the sequence and > return FAIL. I tried ldap2 { fail = return } but no > help...still returns notfound ****) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... > Technically it should authenticate and then authorize > and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a "notfound" error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html