On Sat 23 Sep 2006 13:41, srg krn wrote:
> Hello:
>
> We want to design an AAA system with the following requisites:
>
> COMPONENTS THAT WE HAVE:
> A) NAS(es)
> B) freeradius frontend
> C) authenticators
>
> WHAT WE CAN DO IS:
> 1. The NAS send a radius "access-request" to the radius frontend.
> In the packet there is a username (in username@group) syntax and a
> password. 2. The frontend MUST decide the authentication method and the
> authenticator machine based ONLY in the group (string AFTER the @).
> 3. The frontend sends user and password (note that NOT user@group) to
> the authenticator machine (maybe another radius, ldap, mysql, ...).
> 4. Then authenticator machine answer's to the frontend only with "OK"
> or "NOT OK".
> 5. If "OK" from step(4), then the freeradius answer's the NAS with
> "access granted" and some attributes extracted from the "group" (ip
> pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
>
> NOTE THAT:
> - The unique function of the authenticators is saying "OK" if the
> username and passwd are correct or "NOT OK" if not.
> - NO USERS are defined in the radius frontend (only GROUPS with their
> respective attributes).
>
> Is there any "intelligent" way of acomplishing this design with freeradius?
Yes.
Did you read the documentation?
Start at:
http://wiki.freeradius.org/Proxy
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html