Freeradius with LDAP and in second LDAP Authorization or Proxying

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Mar 13 10:59:30 CET 2017


Hi,

> i have a problem with the Set-Up i have to do.
> we have two types of costumers (managed and unmanaged). In our Setup we
> get all access-requests to the same radius server.
> In this radius Server then we have to decide if we have to proxying the
> request (unmanaged costumer) or authorize against our
> LDAP server (unmanaged costumer).
> The information if the costumer ist managed/unmanaged along with proxy
> and user information is in the same ldap and i have
> to query it first for deciding what to do.
> Is such a setup possible with freeradius?
> 
> My specs:
> Ubuntu 16.04
> FreeRADIUS Version 2.2.8 (2.2.8+dfsg-0.1build2 from apt)
> 
> The basic setup with authorization/authentication against the ldap is
> running very well, but the extension with the unmanaged
> costumers give my head ache. I need help to find the right direction to run.

so you authorize already?  if so, what LDAP attribute (group etc) can you use to distinguish
the 2 types?  just use that as the basis for unlang

in authorize {}, just after ldap, you can do eg

if (%{LDAP-Group} == "unmanaged"){
 update control {
	Proxy-to-Realm := unmanaged
	}
 updated
}


and then in proxy.cofn set up an 'unmanaged' server group to send the request to.


note, none of the above is validated/errer-free/tested, theres probably at least a few syntax errors but it
will give you the fundamental idea...

alan


More information about the Freeradius-Users mailing list