Proxy Question

Matthew Newton mcn4 at
Wed Apr 25 15:56:57 CEST 2012

On Wed, Apr 25, 2012 at 09:19:58AM -0400, David Peterson wrote:
> I have a more of an abstract question as to proxy functionality.  Can you do
> the following:
> bob at password test
> -> proxy to localhost
> bob at - reply Access Deny
> This would be the norm for that realm, just deny everyone.
> Except for bob's boss:
> boss at password gooduser
> -> proxy to actual external AAA server.
> I hope this isn't a complete mess of a question.

Yes - proxying only happens if you hit the end of the authorize {}
section having set the Proxy-To-Realm control attribute.

So you can set/not set that, based on anything in the incoming
packet, to determine if it should be proxied or not.

Something like (completely untested)

if (User-Name =~ /whatever/) {
  update control {
    Proxy-To-Realm := 'externalaaa'
  else {

Then create realm 'externalaaa' in your proxy.conf file, as

There must be many ways to do this. Another possibility in your
users file -

boss at    Proxy-To-Realm := 'whatever'

DEFAULT         Auth-Type := Reject



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list