Authenticate locally then proxy

Alan DeKok aland at
Mon Jun 22 16:30:41 CEST 2020

On Jun 22, 2020, at 10:22 AM, Júlíus Þór Bess Ríkharðsson <julius.bess at> wrote:
> I'm wondering if I can authenticate users locally and then proxy the 
> request. I'm hoping to authenticate the user on both servers, and if 
> both can, then reply with Access-Accept.

  The answer is "it depends".

  For EAP? No.  For PAP?  Probably.  MS-CHAP?  Likely not.

> I've been searching around and It seems like it's only possible in 
> version 4 because of the way versions up to 3 do proxying. Am I wrong?

  It's certainly a lot easier in v4.  i.e. pretty much trivial.

> I'm hoping that it's possible somehow using unlang in version 3.
> The reason for doing this is I want to continue authenticating users 
> locally (AD as users db) and then proxy the request for MFA/2FA push 
> notifications.

  Is the server receiving User-Password attributes?  If so, it should be relatively simple.  Otherwise, it may be a lot more difficult.

  Alan DeKok.

More information about the Freeradius-Users mailing list