Hello Radiators,
we are using EAP authentication (802.1x) inside of 'AuthBy LDAP2', and
that surrounded by another 'AuthBy Group'.
<AuthBy GROUP>
Identifier EAP-LDAP
RewriteUsername ...
<AuthBy LDAP2>
NoDefault
AuthenProto EAP
Host ... ... ...
AuthDN ...
AuthPassword ...
BaseDN ...
EAPType TLS
(..)
</AuthBy>
</AuthBy>
A handler authenticates through that group first, and by using
'ContinueWhileAccept' it's leveraging another 'AuthBy SQL' to deliver
reply-attributes, if any.
<Handler Request-Type=Access-Request>
RewriteUsername ...
AuthByPolicy ContinueWhileAccept
AuthBy EAP-LDAP
AuthBy SQL
</Handler>
If I remember correctly putting the EAP into the LDAP2 was something which
was necessary to authenticate through EAP while also having a mandatory
check on the user in LDAP.
Now I wonder if it's necessary to decouple EAP and LDAP2 *somehow* (if
possible at all) to IGNORE or ACCEPT the LDAP-part when it's servers are
for example down (or for any other protocol exception in the LDAP code
returning). In short: broken LDAP should not be able to deny access.
Any ideas about that?
Thanks
--
Christian
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
