On 15.2.2023 6.40, Steve Phillips via radiator wrote:
Try LDAP entry 1, if this passes, jump to MFA, if this passes then
return accept
If LDAP 1 returns reject, then return reject.
HOWEVER
If LDAP entry 1 fails with a timeout, try LDAP entry 2, if this passes
jump to MFA if this passes then return reject
If LDAP 2 returns a reject then return reject
I'm unsure how to do this though, it would be like
Policy = ContinueWhileAccept
(Do LDAP Group)
Do RADIUS group
LDAP Group
Policy = ContinuewhileIgnore
Do LDAP 1
Do LDAP 2
IS it possible to perform nested auth policies like this?
Yes, this is possible. You've almost described the configuration
already. I'd try something like this:
<Handler ...>
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
# Shorthand for <AuthBy LDAP2> ...
AuthBy do-ldap-1
AuthBy do-ldap-2
</AuthBy
<AuthBy RADIUS>
# ...
</AuthBy>
</Handler>
Notes:
If do-ldap-2 fails and returns IGNORE, the Handler returns with IGNORE
and no response it sent back to the client. If a failure of both LDAPs
needs to trigger an Access-Reject, add an <AuthBy INTERNAL> as the last
AuthBy within the GROUP. For example:
<AuthBy INTERNAL>
Identifier default-reject
AuthResult REJECT
AcctResult ACCEPT
RejectReason All LDAP servers are down
</AuthBy>
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
