Multiple servers using Realms.

Fajar A. Nugraha list at fajar.net
Mon Feb 6 00:45:44 CET 2012 

On Mon, Feb 6, 2012 at 2:18 AM, Jan Hugo Prins <jhp at jhprins.org> wrote:
> But now I'm reading the documentation and I get the impression from the
> REALM stuff that I should be able to create multiple parallel server
> instances in one configuration.

realms and virtual server does not necessarily have one-to-one
mapping, but yes, you can have many virtual server in FR, and one (but
not the only) way to select which one to use is by using realms.

> On VAP1 I want to authenticate users from domain1. These users all have
> a full LDAP account and authentication works fine against this LDAP. I
> have configured this and everyone can login using it's mailLocalAddress
> attribute for authentication and the radius server is using the
> credentials you give it to try to bind to LDAP and if this is successful
> you are granted access to the Wireless accesspoint for domain1.
>

pretty simple.

> On VAP2 I want to authenticate users from domain2. These users are all
> in an ADS and my radius server probably has to proxy to this ADS for
> authentication. Am I right their?

If by ADS you mean Active Directory, no.

You need to either:
- setup FR to authentication using AD (see
http://deployingradius.com/documents/configuration/active_directory.html),
OR
- proxy it to a radius server that gets data from AD (e.g. MS
IAS/NPS), not proxy it to the AD.

> On VAP3 I have a different customer. This customer is in a different OU
> in the same openldap server as the users on VAP1. I need to isolate the
> 2 sets of users and in the configuration for VAP1 I have put the Base
> for the LDAP search inside the OU of these users, that way other
> customers are not able to authenticate against this setup. For the users
> in VAP3 I have to create a different LDAP connection in the Radius
> server that points to the OU for this company.
>
> Can this indeed be done in one radius server configuration? Or do I need
> multiple servers to do this. If this is possible does someone have some
> pointers for me and maybe some example configurations?

Some of it might be possible using the default virtual server and
unlang, but it should also work using realms and many virtual servers.

-- 
Fajar

More information about the Freeradius-Users mailing list