Proxy decision based on LDAP lookups and Radius_client match.

[Frank Skovboel]

Hi, 

I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do. 

Objective: 
I need to verify that the user that tries to login from Company A really is an employee of Company A, and not an employee of Company B. For this purpose I have access each company's AD and of cause I know what radius clients belong to each company. Once I have validated that the user exists in the Company's AD, I then have to proxy it to another radius server where the users OTP will be validated, and from that give an access-accept or access-reject. If the user does not exist in the Company's AD, freeradius should send an access-reject and not proxy it to the OTP radius. 

I imagine the flow is some thing like: 
1) User from Company A tries to login 
2) Company A's VPN sends a radius request to Freeradius 
3) Freeradius looks at the Radius_client IP and finds the right AD. 
4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists. 
5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius. 

I have freeradius setup to proxy the request to the OTP radius server today, without any checks. 

As I said I'm completely new to Freeradius, and not sure what files I need to configure or what to put in them, so any help is highly appreciated. 

-- 

Thank you, 
Frank Skovboel 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111030/039e05fe/attachment.html>