Split authorization / authentication

Alan DeKok aland at deployingradius.com
Wed Jun 13 15:48:47 CEST 2012


Emmanuel BILLOT wrote:
> What module should i use to send MAC adresses to another radius server,
> and getting back ok/nok before testing EAP ?

  That WILL NOT work.  The server cannot proxy and also authenticate users.

  This is what a database is for.  Put the MAC addresses into a
database, and query that during the authorization phase.

> Using unlang yes, but what directive should i use ? Proxy cannot be one
> because MAC adresse has no suffix.

  If you're just going to proxy requests, you can proxy them anywhere
you want, based on any criteria.  Just set Proxy-To-Realm, using the
realm name.

  The default is to proxy via domain suffixes.  But other methods can
also be used.  There is no requirement for suffixes to be the *only*
method of proxying.

  Alan DeKok.


More information about the Freeradius-Users mailing list