Thanks Alan. Looks like we'll be implementing a solution in the database then.
- Rachel On Nov 15, 2007 9:33 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Rachel Primrose wrote: > > So, here is the order of operations: > > > > 1. User is trying to log in with [EMAIL PROTECTED] > > > > 2. The LNS first tries to authenticate the realm. It sends through > > an access request packet to our radius server with > > User-Name=realm.com, Service-Type=Dialout-Framed-User and Password = > > cisco. > > For certain realms only, we want to accept the request, and pass back > > some cisco specific attributes. For the rest of the realms, we want > > to just reject the request. > > So configure that: > > DEFAULT Service-Type == Dialout-Framed-User, User-Name != "realm.com", > Auth-Type := Reject > > This goes at the *top* of the "users" file. > > > 3a. If the LNS gets an accept packet back with cisco attributes, it > > forwards an access request with [EMAIL PROTECTED] to a third party LNS. > > And configure an entry AFTER the one above, replying with the > appropriate Cisco attributes: > > realm.com Service-Type == Dialout-Framed-User, User-Password == "cisco", > Auth-Type := Accept > cisco stuff > Fall-Through = No > > > 3b. If the LNS gets a reject packet back, it will then send an access > > request packet to our radius server with User-Name = [EMAIL PROTECTED], > > Service-Type=Framed-User and Password = user-provided password. > > > > 4. We then authenticate/authorize against an ldap server, hence the > > term ldap_user. > > Then list "ldap" after "file" in the "authorize" section. Also list > "ldap" in the authenticate section. > > > By conditionally run, I mean when the first access request packet with > > just the realm arrives and is rejected, we do not want to log it in > > the Post-Auth-Type REJECT section. > > It's difficult to do that in 1.1.x. > > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
