[RADIATOR] connection / protocol failures and policy bevavior (decouple LDAP2 from EAP?)
Christian Meutes
christian at errxtx.net
Thu Jan 10 09:01:50 UTC 2019
Hi.
On Wed, Jan 9, 2019 at 7:16 PM Alfred Reibenschuh <
alfred.reibenschuh_v-tservices at at.ibm.com> wrote:
> The file dependency is from the goodies directory and i have not found a
> way to do without.
>
let's see if the following configuration is the way to go (but looks kind
of bloated to me and unsure if there are cornercase with those IGNORES).
# 1. EAP is mandatory, only ACCEPT should go through (using
ContinueWhileAccept)
# (unfortunately file dependency)
<AuthBy GROUP>
Identifier EAP
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
Filename %D/users.eaptls
AuthenProto EAP
EAPType TLS
[..]
</AuthBy>
</AuthBy>
# 2. ACCEPT and IGNORE (LDAP failing) should go through (using
ContinueUntilReject)
<AuthBy GROUP>
Identifier LDAP
AuthByPolicy ContinueUntilReject
RewriteUsername [..]
<AuthBy LDAP2>
NoEAP
NoDefault
UsernameAttr CN
PasswordAttr
[..]
</AuthBy>
</AuthBy>
# 3. ACCEPT and IGNORE (SQL failing) should go through (using
ContinueUntilReject)
<AuthBy GROUP>
Identifier SQL
AuthByPolicy ContinueUntilReject
<AuthBy RADMIN>
NoDefault
AcceptIfMissing
NoCheckPassword
NoEAP
[..]
</AuthBy>
</AuthBy>
# 4. Catch previous IGNORES (failed LDAP and SQL backends)
<AuthBy INTERNAL>
Identifier ACCEPT
AuthResult ACCEPT
</AuthBy>
<Handler Request-Type=Access-Request,[..]>
RewriteUsername [..]
AuthBy EAP
AuthBy LDAP
AuthBy SQL
AuthBy ACCEPT
</Handler>
--
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190110/1df02b65/attachment.html>
More information about the radiator
mailing list