[E] Re: Can I conditionally proxy?

Gary Algier gary.algier at mavenir.com
Thu Jun 7 23:29:03 CEST 2018


Thanks for the hints.   I have proxying working for both the old and the new backend servers.   I am just having problems with the "if" statement.

For example, during testing I had:
realm NULL {
auth_pool = mfa_pool
This worked with the new MFA servers.
I could change that to "tms_pool" to connect to the old TMS servers.
Both worked.

I then tried:
     realm NULL {

     if (%{ad_query:ldap:///?samaccountname?sub?&((samaccountname=%u)(memberof=CN=R-Global-ICT-Remote-Access*))}) {
          auth_pool = mfa_pool
     else {
           auth_pool = tms_pool

I got the following error:
/etc/raddb/proxy.conf[507]: Invalid location for 'if'
Errors reading or parsing /etc/raddb/radiusd.conf

I guess one is not allowed to use unlang inside a realm?

What basic concept am I missing?


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+gary.algier=mavenir.com at lists.freeradius.org] On Behalf Of Nathan Ward
Sent: Wednesday, June 06, 2018 1:45 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [E] Re: Can I conditionally proxy?

> On 6/06/2018, at 6:38 PM, Gary Algier <gary.algier at mavenir.com> wrote:
> Hello,
> I have used FreeRADIUS before as a RADIUS server but I now wish to use it as a conditional proxy.
> We have two RADIUS servers that implement 2 factor authentications.   We wish to migrate from the old system to the new system a few users at a time.
> I would like to setup FreeRADIUS to do something like this:
> if (the user is in a particular AD group) {// I can do an LDAP lookup,
> if necessary proxy to the new 2fa system } else { proxy to the old 2fa
> system }
> Can anyone help with examples of some sort of conditional proxying?

Yep, this is trivial.

Figure out how to proxy to a single system and get that working - say to your “old 2fa system", you’ll very quickly see how you can modify that to proxy to different systems. You do basically what you described above, but, different proxy to realm etc.

Maybe read the "Proxying from unlang” bit in the config/Proxy page in the wiki, if that’s not how you’re doing it already I can see why it may not be obvious :-)

Nathan Ward

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security at mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You

More information about the Freeradius-Users mailing list