[RADIATOR] ContinueWhileIgnore in AuthByGroup with LDAP

Bob Shafer bshafer at du.edu
Sat Oct 10 03:07:00 CDT 2009 

Hugh,

Just for completeness -

When I'd tested with ContinueUntilAccept I did not test beyond making 
sure the failover happened.  When I tested this more completly I found 
that ContinueUntilAccept seems to act like ContinueWhileAccept for 
EAP-PEAP-MSCHAP-V2 - testing the credentials on both LDAP servers with 
success, but failing in the end.

I finally went with ContinueWhileReject.  Which seems to work just fine. 
  It still tries both servers when a client has bad credentials, but it 
also will fail over properly when the first LDAP server goes south.

Is there any chance that EAP-PEAP-MSCHAP-V2 could return Ignore when it 
can't connect to the LDAP server?  Or is there something inherent in the 
protocol that implies that it has to return Reject when it can't connect?

Thanks,

Bob


Hugh Irvine wrote:
> 
> Hello Bob -
> 
> This is more likely to be due to EAP and MSCHAP-V2.
> 
> I think you will need to continue using ContinueUntilAccept.
> 
> regards
> 
> Hugh
> 
> 
> On 2 Oct 2009, at 18:54, Bob Shafer wrote:
> 
>> I'm pretty sure, at one time, this acted as I wished:
>>
>>        <AuthBy GROUP>
>>                AuthByPolicy ContinueWhileIgnore
>>                AuthBy LDAP-AUTH
>>                AuthBy BU-LDAP-AUTH
>>        </AuthBy>
>>
>> The intent being to try a primary LDAP server as configured in AuthBy 
>> LDAP-AUTH, and if that server was unavailable, to try the back up 
>> server as configured in AuthBy BU-LDAP-AUTH.
>>
>> At some point, and I'm not sure when, because I did not test this 
>> after every upgrade, it stopped working.
>>
>> It appears that, when the primary fails, instead of returning IGNORE, 
>> radiator is returning REJECT:
>>
>> Fri Oct  2 02:18:40 2009: ERR: Could not open LDAP connection to 
>> ldap.du.edu:636. Backing off for 600 seconds.
>> Fri Oct  2 02:18:40 2009: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: 
>> no such user xyzzy
>> Fri Oct  2 02:18:40 2009: DEBUG: AuthBy GROUP result: REJECT, EAP 
>> MSCHAP V2 failed: no such user xyzzy
>> Fri Oct  2 02:18:40 2009: INFO: Access rejected for 872120688: EAP 
>> MSCHAP V2 failed: no such user xyzzy
>>
>> If I switch from ContinueWhileIgnore to ContinueUntilAccept, fail over 
>> works.  But that means that, when the user enters their credentials 
>> incorrectly, that radiator will, unnecessarily, test them against the 
>> backup server.
>>
>> The server is running 4.4 with patches that were available as of last 
>> Friday.
>>
>> If you need to see the entire configuration file and/or debug output 
>> let me know and I will send it under separate cover.
>>
>> Bob
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3590 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20091010/073b11c1/attachment.bin

More information about the radiator mailing list