[RADIATOR] connection / protocol failures and policy bevavior (decouple LDAP2 from EAP?)
christian at errxtx.net
Wed Jan 9 02:01:58 UTC 2019
we are using EAP authentication (802.1x) inside of 'AuthBy LDAP2', and
that surrounded by another 'AuthBy Group'.
Host ... ... ...
A handler authenticates through that group first, and by using
'ContinueWhileAccept' it's leveraging another 'AuthBy SQL' to deliver
reply-attributes, if any.
If I remember correctly putting the EAP into the LDAP2 was something which
was necessary to authenticate through EAP while also having a mandatory
check on the user in LDAP.
Now I wonder if it's necessary to decouple EAP and LDAP2 *somehow* (if
possible at all) to IGNORE or ACCEPT the LDAP-part when it's servers are
for example down (or for any other protocol exception in the LDAP code
returning). In short: broken LDAP should not be able to deny access.
Any ideas about that?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the radiator