On Sat 23 Sep 2006 13:41, srg krn wrote: > Hello: > > We want to design an AAA system with the following requisites: > > COMPONENTS THAT WE HAVE: > A) NAS(es) > B) freeradius frontend > C) authenticators > > WHAT WE CAN DO IS: > 1. The NAS send a radius "access-request" to the radius frontend. > In the packet there is a username (in username@group) syntax and a > password. 2. The frontend MUST decide the authentication method and the > authenticator machine based ONLY in the group (string AFTER the @). > 3. The frontend sends user and password (note that NOT user@group) to > the authenticator machine (maybe another radius, ldap, mysql, ...). > 4. Then authenticator machine answer's to the frontend only with "OK" > or "NOT OK". > 5. If "OK" from step(4), then the freeradius answer's the NAS with > "access granted" and some attributes extracted from the "group" (ip > pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @). > > NOTE THAT: > - The unique function of the authenticators is saying "OK" if the > username and passwd are correct or "NOT OK" if not. > - NO USERS are defined in the radius frontend (only GROUPS with their > respective attributes). > > Is there any "intelligent" way of acomplishing this design with freeradius? Yes. Did you read the documentation? Start at: http://wiki.freeradius.org/Proxy -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Attachment:
pgpAXtBoizHeq.pgp
Description: PGP signature