Hello all,
We are trying to set up a cross-auth proxy setup between our five
RADIUS servers in different realms at five different institutions, so
that any active student, staff, or faculty from any of our
institutions can go to any of the other institutions and log onto the
network. This means that if a user from institution B comes to my
institution, I want my RADIUS server to ask the RADIUS server over at
institution B instead of using the local setup.
I've gotten much of it working, both authorizing and authenticating
against our LDAP database here, but something about the authorization
step is unclear to me. At the moment, I have it set up so that if I
get a login request, it checks to see if the user is a member of the
correct group(s) (authorization), and THEN authenticates the user,
checking the realm to see where it should send the request for
authentication. This all works very well, except that the
authorization step only works if the user is one of MY users. If the
user is one of the other four-college users, then the authorization
step fails (since the user doesn't exists in my LDAP database) and the
user is rejected. So I think I need to do one of three things:
1. Proxy authorization as well - it's not clear how to do this. Can
you? I'd really just like to forward the entire request elsewhere,
before anything else happens, so I'd like to check the realm FIRST,
and not do anything if it's not a local realm.
2. Skip authorization entirely unless the user is a member of a
specific realm. Again, it's not clear to me how to do this. Any ideas?
3. something else I haven't thought of yet.
This must be something other people do too, yes? We'd like to be
able to do the authorization step, because I don't want, for instance,
alumns or guest users, (who are in the LDAP database) to be able to
log in.
I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
Thanks for any help, and if more info is needed, just ask!