Hello Christopher,
here's my take:
<Handler>
AuthByPolicy ContinueWhileReject
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
AuthBy LDAP2
AuthBy DUO
# DUO is async, returns IGNORE, just like RADIUS
</AuthBy>
AuthBy RADIUS
</Handler>
If LDAP happens to be down or returns an error, AuthBy LDAP2 will return
IGNORE and GROUP will not continue. This might be a good thing too?
Thanks,
Heikki
On 11/07/2013 08:31 PM, Christopher Bongaarts wrote:
> That would seem to yield the effective logic:
>
> AuthBy LDAP2
> if result = ACCEPT
> then
> AuthBy DUO
> if result != ACCEPT
> then
> AuthBy RADIUS
> endif
> endif
>
> which is not what I want - either DUO or RADIUS should be invoked, never
> both; which one is invoked is determined by the result of LDAP2.
>
> This is close:
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileAccept
> AuthBy LDAP2
> AuthBy DUO
> </AuthBy>
> AuthBy RADIUS
> </AuthBy>
>
> but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO
> returns REJECT or IGNORE. Security-wise this is OK (it is not possible
> for this RADIUS to succeed if LDAP2 succeeded) but does put an extra
> load on the proxied RADIUS service.
>
> On 11/6/2013 4:24 PM, Hugh Irvine wrote:
>> Hello Christopher -
>>
>> Something like this:
>>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy LDAP2
>> <AuthBy GROUP>
>> AuthByPolicy ContinueUntilAccept
>> AuthBy DUO
>> AuthBy RADIUS
>> </AuthBy>
>> </AuthBy>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 7 Nov 2013, at 08:51, Christopher Bongaarts <[email protected]> wrote:
>>
>>> I have a need to handle multiple authentication methods which returns
>>> something like this:
>>>
>>> AuthBy LDAP2
>>> if result = ACCEPT
>>> then
>>> AuthBy DUO
>>> else
>>> AuthBy RADIUS
>>>
>>> with the ultimate authentication result coming from either the DUO or
>>> RADIUS module. I tried to figure out a way to arrange some combination
>>> of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to
>>> figure out a way to make it work. Any suggestions?
>>>
>>> --
>>> %% Christopher A. Bongaarts %% [email protected] %%
>>> %% OIT - Identity Management %% http://umn.edu/~cab %%
>>> %% University of Minnesota %% +1 (612) 625-1809 %%
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> [email protected]
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>>
>> Hugh Irvine
>> [email protected]
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
