Proxy decision based on LDAP lookups and Radius_client match.
Alan DeKok
aland at deployingradius.com
Sun Oct 30 14:18:07 CET 2011
Frank Skovboel wrote:
> I have been asked to build a radius proxy using freeradius, and I'm
> completely new to freeradius, and with the flexibility in freeradius I'm
> having a hard time figuring out how to accomplish my goal, or if it's
> even possible to do.
Pretty much anything is possible. :)
> I imagine the flow is some thing like:
> 1) User from Company A tries to login
> 2) Company A's VPN sends a radius request to Freeradius
> 3) Freeradius looks at the Radius_client IP and finds the right AD.
See "man unlang"
> 4) Freeradius does an LDAP bind to Company A's AD, and checks if the
> user exists.
if (Packet-Src-IP-Address == 1.2.3.4) {
ldap_a
}
elsif (Packet-Src-IP-Address = 4.5.6.7) [
ldap_b
}
Configure two copies of the LDAP module. See raddb/modules/files for
simple documentation on how this is done. Point ldap_a at the AD for
company A, and ldap_b at the AD for company B.
> 5) If user exists request is proxied to the OTP radius, if the user does
> not exists access-reject is sent from Freeradius.
After the above config:
if (!notfound) {
reject
}
... else proxy it ...
Alan DeKok.
More information about the Freeradius-Users
mailing list