[RADIATOR] How to do LDAP failover with RADIUS MFA
Steve Phillips
steve at focb.co.nz
Wed Feb 15 04:40:18 UTC 2023
Hi there,
I have a handler (as shown below) that was performing an LDAP lookup for
a userid, then stripping the password and handing off to a duo RADIUS
proxy that would then take care of MFA.
However, one day I switched my LDAP server off which caused a bit of
chaos ;-) no problem, lets put another LDAP server in and change the
'ContinueWhileAccept' to control the policy to something else..
What I am trying to do optimally is
Try LDAP entry 1, if this passes, jump to MFA, if this passes then
return accept
If LDAP 1 returns reject, then return reject.
HOWEVER
If LDAP entry 1 fails with a timeout, try LDAP entry 2, if this passes
jump to MFA if this passes then return reject
If LDAP 2 returns a reject then return reject
I'm unsure how to do this though, it would be like
Policy = ContinueWhileAccept
(Do LDAP Group)
Do RADIUS group
LDAP Group
Policy = ContinuewhileIgnore
Do LDAP 1
Do LDAP 2
IS it possible to perform nested auth policies like this?
Thanks in advance..
-- handler config --
<Handler User-Name=/^username\d*/>
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/^([^@]+).*/$1/
PreAuthHook file:"%D/hooks/PreAuthHook-PasswordDebug.pl"
AuthByPolicy ContinueWhileIgnore
<AuthBy LDAP2>
Host 1.2.3.4
Port 3268
AuthDN %{LDAPDN:%U}@example.com
AuthPassword %P
Timeout 5
FailureBackoffTime 600
BaseDN ou=example users,dc=example,dc=com
Scope sub
ServerChecksPassword
UnbindAfterServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
# Get user group memberships from this attribute
GroupMembershipAttr memberOf
# This post search hook performs the magic that
# matches a user, group and device and sets reply
# attributes.
PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl"
</AuthBy>
<AuthBy LDAP2>
Host 1.2.2.4
Port 3268
AuthDN %{LDAPDN:%U}@example.com
AuthPassword %P
Timeout 5
FailureBackoffTime 600
BaseDN ou=example users,dc=example,dc=com
Scope sub
ServerChecksPassword
UnbindAfterServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
# Get user group memberships from this attribute
GroupMembershipAttr memberOf
# This post search hook performs the magic that
# matches a user, group and device and sets reply
# attributes.
PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl"
</AuthBy>
<AuthBy RADIUS>
# Reset the user-password to something incorrect
ForwardHook file:"%D/hooks/ForwardHook-ReplacePassword.pl"
# Append a Filter-ID and host name
AddToRequestIfNotExist
Calling-Station-Id=1,Login-IP-Host=%h
# Same secret and timeout for all hosts
Secret MyDuoSecret
RetryTimeout 60
Host duo-server1.example.com
Host duo-server2.example.com
AuthPort 1815
</AuthBy>
<AcctLog FILE>
Filename %L/%Y%m%d_accounting.log
OutputFormat json
</AcctLog>
</Handler>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230215/774c1b76/attachment.p7s>
More information about the radiator
mailing list