On Sat 23 Sep 2006 13:41, srg krn wrote:
Hello:
We want to design an AAA system with the following requisites:
COMPONENTS THAT WE HAVE: A) NAS(es) B) freeradius frontend C) authenticators
WHAT WE CAN DO IS: 1. The NAS send a radius "access-request" to the radius frontend. In the packet there is a username (in username@group) syntax and a password. 2. The frontend MUST decide the authentication method and the authenticator machine based ONLY in the group (string AFTER the @). 3. The frontend sends user and password (note that NOT user@group) to the authenticator machine (maybe another radius, ldap, mysql, ...). 4. Then authenticator machine answer's to the frontend only with "OK" or "NOT OK". 5. If "OK" from step(4), then the freeradius answer's the NAS with "access granted" and some attributes extracted from the "group" (ip pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
NOTE THAT: - The unique function of the authenticators is saying "OK" if the username and passwd are correct or "NOT OK" if not. - NO USERS are defined in the radius frontend (only GROUPS with their respective attributes).
Is there any "intelligent" way of acomplishing this design with freeradius?
Yes. Did you read the documentation? Start at: http://wiki.freeradius.org/Proxy -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc