Proxy requests on multiple backend Radius servers based on LDAP Group Membership

Mathieu CLAIR mclair at protego.net
Mon Oct 15 16:16:05 CEST 2018


Hey there, 

 

I'm trying to route Radius requests on 2 backend Radius servers based on
LDAP group membership. The purpose is to send Radius requests on the 1st
server when the user is a member of an LDAP group (example
CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd
Radius server.

I'm wondering if it's possible and what is the best way to do it.

 

I started to think about the folowing process :

                - declare an LDAP filter like
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))

                - use the filter (match not null ?) in the site
configuration 

 

Something that sounds like bellow :      

 

my_ldap_filter =
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))

authorize {

                if (%{my_ldap_filter} != "") {

                               update control {

 
Proxy-To-Realm := 'Radius1'

                               }

                }

                else {

                               update control {

 
Proxy-To-Realm := 'Radius2'

                               }

                }

}

 

I'm not sure about the syntax of this. Of course, I faced several errors
"Entry is not a reference to a module" when I start manually the freeradius
server. Do I need to use the LDAP module ?

Thank you for your answer 

BR,

 

Mathieu              



More information about the Freeradius-Users mailing list