And won!
At work, we’re looking to replace our existing radius server (merit, for which support is being discontinued, and also for which our guest users and blocked users are just entries in the flat file) with something more capable.
We like the look of freeradius, and it’s pretty easy to write new modules for– for example, I whipped something together to check our PH server for current status, etc.
But what we really want is to chain two or more Auth-Types together; if the first doesn’t find the user, try the second, then the third, etc.
It turns out this actually is well documented but this was super hard to find (I didn’t think of this as “failover”), but it’s documented in doc/configurable_failover in the freeradius distribution.
Specifically, all you need to do is this:
in radiusd.conf:
Auth-Type MyMultiAuth{
redundant {
krb5 {
fail = 1
notfound = 2
reject = 3 # required because krb5 returns reject on notfound
}
sql {
fail = return
notfound = 1
}
next_module{
fail= return
notfound=1
}
}
}
and in users:
DEFAULT Auth-Type = MyMultiAuth
Easy enough. Just obscure.
Below, I hope the following keywords will help the next guy:
two auth-types multiple auth-types chain auth-types two authentication sources