Hello Christopher -
What are the possible return values from your LDAP2 and DUO clauses?
If I understand what you describe correctly you should be able to do this:
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
…..
</AuthBy>
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
<AuthBy DUO>
…..
</AuthBy>
<AuthBy INTERNAL>
DefaultResult IGNORE
</AuthBy>
</AuthBy>
</AuthBy>
<AuthBy RADIUS>
…..
</AuthBy>
</AuthBy>
regards
Hugh
On 8 Nov 2013, at 05:31, Christopher Bongaarts <c...@umn.edu> wrote:
> That would seem to yield the effective logic:
>
> AuthBy LDAP2
> if result = ACCEPT
> then
> AuthBy DUO
> if result != ACCEPT
> then
> AuthBy RADIUS
> endif
> endif
>
> which is not what I want - either DUO or RADIUS should be invoked, never
> both; which one is invoked is determined by the result of LDAP2.
>
> This is close:
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileAccept
> AuthBy LDAP2
> AuthBy DUO
> </AuthBy>
> AuthBy RADIUS
> </AuthBy>
>
> but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO returns
> REJECT or IGNORE. Security-wise this is OK (it is not possible for this
> RADIUS to succeed if LDAP2 succeeded) but does put an extra load on the
> proxied RADIUS service.
>
> On 11/6/2013 4:24 PM, Hugh Irvine wrote:
>> Hello Christopher -
>>
>> Something like this:
>>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy LDAP2
>> <AuthBy GROUP>
>> AuthByPolicy ContinueUntilAccept
>> AuthBy DUO
>> AuthBy RADIUS
>> </AuthBy>
>> </AuthBy>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 7 Nov 2013, at 08:51, Christopher Bongaarts <c...@umn.edu> wrote:
>>
>>> I have a need to handle multiple authentication methods which returns
>>> something like this:
>>>
>>> AuthBy LDAP2
>>> if result = ACCEPT
>>> then
>>> AuthBy DUO
>>> else
>>> AuthBy RADIUS
>>>
>>> with the ultimate authentication result coming from either the DUO or
>>> RADIUS module. I tried to figure out a way to arrange some combination
>>> of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to
>>> figure out a way to make it work. Any suggestions?
>>>
>>> --
>>> %% Christopher A. Bongaarts %% c...@umn.edu %%
>>> %% OIT - Identity Management %% http://umn.edu/~cab %%
>>> %% University of Minnesota %% +1 (612) 625-1809 %%
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>>
>> Hugh Irvine
>> h...@open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>
>
> --
> %% Christopher A. Bongaarts %% c...@umn.edu %%
> %% OIT - Identity Management %% http://umn.edu/~cab %%
> %% University of Minnesota %% +1 (612) 625-1809 %%
>
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
