[RADIATOR] connection / protocol failures and policy bevavior (decouple LDAP2 from EAP?)

Christian Meutes christian at errxtx.net
Wed Jan 9 02:01:58 UTC 2019

Hello Radiators,

we are using EAP authentication (802.1x) inside of  'AuthBy LDAP2', and
that surrounded by another 'AuthBy Group'.

<AuthBy GROUP>
    Identifier EAP-LDAP
    RewriteUsername ...
    <AuthBy LDAP2>
        AuthenProto EAP
        Host ... ... ...
        AuthDN ...
        AuthPassword ...
        BaseDN ...
        EAPType TLS

A handler authenticates through that group first, and by using
'ContinueWhileAccept' it's leveraging another 'AuthBy SQL' to deliver
reply-attributes, if any.

<Handler Request-Type=Access-Request>
    RewriteUsername ...
    AuthByPolicy ContinueWhileAccept
    AuthBy EAP-LDAP
    AuthBy SQL

If I remember correctly putting the EAP into the LDAP2 was something which
was necessary to authenticate through EAP while also having a mandatory
check on the user in LDAP.

Now I wonder if it's necessary to decouple EAP and LDAP2 *somehow* (if
possible at all) to IGNORE or ACCEPT the LDAP-part when it's servers are
for example down (or for any other protocol exception in the LDAP code
returning). In short: broken LDAP should not be able to deny access.

Any ideas about that?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190109/b0923662/attachment.html>

More information about the radiator mailing list