[RADIATOR] ContinueWhileIgnore in AuthByGroup with LDAP

Hugh Irvine hugh at open.com.au
Sat Oct 3 02:46:54 CDT 2009 

Hello Bob -

This is more likely to be due to EAP and MSCHAP-V2.

I think you will need to continue using ContinueUntilAccept.

regards

Hugh


On 2 Oct 2009, at 18:54, Bob Shafer wrote:

> I'm pretty sure, at one time, this acted as I wished:
>
>        <AuthBy GROUP>
>                AuthByPolicy ContinueWhileIgnore
>                AuthBy LDAP-AUTH
>                AuthBy BU-LDAP-AUTH
>        </AuthBy>
>
> The intent being to try a primary LDAP server as configured in  
> AuthBy LDAP-AUTH, and if that server was unavailable, to try the  
> back up server as configured in AuthBy BU-LDAP-AUTH.
>
> At some point, and I'm not sure when, because I did not test this  
> after every upgrade, it stopped working.
>
> It appears that, when the primary fails, instead of returning  
> IGNORE, radiator is returning REJECT:
>
> Fri Oct  2 02:18:40 2009: ERR: Could not open LDAP connection to  
> ldap.du.edu:636. Backing off for 600 seconds.
> Fri Oct  2 02:18:40 2009: DEBUG: EAP result: 1, EAP MSCHAP V2  
> failed: no such user xyzzy
> Fri Oct  2 02:18:40 2009: DEBUG: AuthBy GROUP result: REJECT, EAP  
> MSCHAP V2 failed: no such user xyzzy
> Fri Oct  2 02:18:40 2009: INFO: Access rejected for 872120688: EAP  
> MSCHAP V2 failed: no such user xyzzy
>
> If I switch from ContinueWhileIgnore to ContinueUntilAccept, fail  
> over works.  But that means that, when the user enters their  
> credentials incorrectly, that radiator will, unnecessarily, test  
> them against the backup server.
>
> The server is running 4.4 with patches that were available as of  
> last Friday.
>
> If you need to see the entire configuration file and/or debug output  
> let me know and I will send it under separate cover.
>
> Bob
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list