[RADIATOR] connection / protocol failures and policy bevavior (decouple LDAP2 from EAP?)

Christian Meutes christian at errxtx.net
Thu Jan 10 09:01:50 UTC 2019


Hi.

On Wed, Jan 9, 2019 at 7:16 PM Alfred Reibenschuh <
alfred.reibenschuh_v-tservices at at.ibm.com> wrote:

> The file dependency is from the goodies directory and i have not found a
> way to do without.
>

let's see if the following configuration is the way to go (but looks kind
of bloated to me and unsure if there are cornercase with those IGNORES).


# 1. EAP is mandatory, only ACCEPT should go through (using
ContinueWhileAccept)
# (unfortunately file dependency)
<AuthBy GROUP>
    Identifier EAP
    AuthByPolicy ContinueWhileAccept
    <AuthBy FILE>
        Filename %D/users.eaptls
        AuthenProto EAP
        EAPType TLS
        [..]
    </AuthBy>
</AuthBy>

# 2. ACCEPT and IGNORE (LDAP failing) should go through (using
ContinueUntilReject)
<AuthBy GROUP>
    Identifier LDAP
    AuthByPolicy ContinueUntilReject
    RewriteUsername [..]
    <AuthBy LDAP2>
        NoEAP
        NoDefault
        UsernameAttr CN
        PasswordAttr
        [..]
    </AuthBy>
</AuthBy>

# 3. ACCEPT and IGNORE (SQL failing) should go through (using
ContinueUntilReject)
<AuthBy GROUP>
    Identifier SQL
    AuthByPolicy ContinueUntilReject
    <AuthBy RADMIN>
        NoDefault
        AcceptIfMissing
        NoCheckPassword
        NoEAP
        [..]
    </AuthBy>
</AuthBy>

# 4. Catch previous IGNORES (failed LDAP and SQL backends)
<AuthBy INTERNAL>
      Identifier ACCEPT
      AuthResult ACCEPT
</AuthBy>

<Handler Request-Type=Access-Request,[..]>
    RewriteUsername [..]
    AuthBy EAP
    AuthBy LDAP
    AuthBy SQL
    AuthBy ACCEPT
</Handler>

-- 
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190110/1df02b65/attachment.html>


More information about the radiator mailing list