[RADIATOR] connection / protocol failures and policy bevavior (decouple LDAP2 from EAP?)
Christian Meutes
christian at errxtx.net
Wed Jan 9 02:01:58 UTC 2019
Hello Radiators,
we are using EAP authentication (802.1x) inside of 'AuthBy LDAP2', and
that surrounded by another 'AuthBy Group'.
<AuthBy GROUP>
Identifier EAP-LDAP
RewriteUsername ...
<AuthBy LDAP2>
NoDefault
AuthenProto EAP
Host ... ... ...
AuthDN ...
AuthPassword ...
BaseDN ...
EAPType TLS
(..)
</AuthBy>
</AuthBy>
A handler authenticates through that group first, and by using
'ContinueWhileAccept' it's leveraging another 'AuthBy SQL' to deliver
reply-attributes, if any.
<Handler Request-Type=Access-Request>
RewriteUsername ...
AuthByPolicy ContinueWhileAccept
AuthBy EAP-LDAP
AuthBy SQL
</Handler>
If I remember correctly putting the EAP into the LDAP2 was something which
was necessary to authenticate through EAP while also having a mandatory
check on the user in LDAP.
Now I wonder if it's necessary to decouple EAP and LDAP2 *somehow* (if
possible at all) to IGNORE or ACCEPT the LDAP-part when it's servers are
for example down (or for any other protocol exception in the LDAP code
returning). In short: broken LDAP should not be able to deny access.
Any ideas about that?
Thanks
--
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190109/b0923662/attachment.html>
More information about the radiator
mailing list