[RADIATOR] How to do LDAP failover with RADIUS MFA
Heikki Vatiainen
hvn at open.com.au
Wed Feb 15 13:43:31 UTC 2023
On 15.2.2023 6.40, Steve Phillips via radiator wrote:
> Try LDAP entry 1, if this passes, jump to MFA, if this passes then
> return accept
> If LDAP 1 returns reject, then return reject.
> HOWEVER
> If LDAP entry 1 fails with a timeout, try LDAP entry 2, if this passes
> jump to MFA if this passes then return reject
> If LDAP 2 returns a reject then return reject
>
> I'm unsure how to do this though, it would be like
>
> Policy = ContinueWhileAccept
> (Do LDAP Group)
> Do RADIUS group
>
> LDAP Group
> Policy = ContinuewhileIgnore
> Do LDAP 1
> Do LDAP 2
>
> IS it possible to perform nested auth policies like this?
Yes, this is possible. You've almost described the configuration
already. I'd try something like this:
<Handler ...>
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
# Shorthand for <AuthBy LDAP2> ...
AuthBy do-ldap-1
AuthBy do-ldap-2
</AuthBy
<AuthBy RADIUS>
# ...
</AuthBy>
</Handler>
Notes:
If do-ldap-2 fails and returns IGNORE, the Handler returns with IGNORE
and no response it sent back to the client. If a failure of both LDAPs
needs to trigger an Access-Reject, add an <AuthBy INTERNAL> as the last
AuthBy within the GROUP. For example:
<AuthBy INTERNAL>
Identifier default-reject
AuthResult REJECT
AcctResult ACCEPT
RejectReason All LDAP servers are down
</AuthBy>
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list