Consolidating radius Servers

Alan DeKok aland at deployingradius.com
Fri Aug 4 19:25:34 CEST 2006 

"Dourty, Brian R. \(IATS\)" <DourtyB at missouri.edu> wrote:
> We currently have two load-balanced pairs of freeradius servers. One set
> supports our Dial-up/VPN customers and the other set supports our 802.1x
> wireless infrastructure. I'm wondering if it is possible to serve both
> sets of customers using one set of radius servers.

  Easy as pie, with a number of very careful intermediate steps.

>  How would we get the radius server to use the LDAP module for the
> dial-up/vpn users and the eap module for the 802.1x users?

  The NASes have different IP's, right?  i.e. no NAS handles both
kinds of users.

  First, you'll have to merge the configurations, so that the combined
server knows about all the modules that both servers do.  If they use
the same modules with different configuration, re-name them.  e.g. If
they both have "files", create "files files_vpn" and "files
files_8021x".  I suggest putting the different configurations into
sub-directories of "raddb", just to make your life easier.

  This re-naming can be done on each of the existing servers, without
changing their behavior.  In fact, I suggest it's done there, to be
sure it works..

  Now that there's no conflict in the module configurations, you can
merge the configurations onto a "combined" server.

  Take the "authorize" section from each server, and put it into an
"Autz-Type" section in the "combined" server.  e.g.

  authorize {
	    files_combined
	    Autz-Type VPN {
		      vpn stuff...
	    }
	    Autz-Type 8021x {
		      8021x stuff...
	    }
  }

  Note that there's a new "files_common" module, just for the the
combined server, that has new data:

#
DEFAULT Client-IP-Address = 1.2.3.4, Autz-Type := VPN

DEFAULT Client-IP-Address = 5.6.7.8, Autz-Type := 8021x

#

  i.e. key off of the IP of the NAS, and run one, or the other, of the
Autz-Type sections.  Do the same kind of thing (if necessary) for the
other sections, and it should work.

  That's the careful, but hard work way to do it.  If there are
significant overlaps between the server configurations, you can pull
the overlaps into combined sections.  But that will require a lot more
careful editin.

  Oh, and use version control for the intermediate changes.  Really.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list