The question was "how does freeradius talk to authentication database". What does it send to it and what does it get back?
I´ll do my best to explain.
Access-Request packet from NAS/AAA-client contains: User-Name User-Password (One-Time-Password) NAS-IP-Address
FreeRadius checks with SQL: Is user allowed to access through this (NAS-IP-Address)? Check User-Name / profile.
OK, that can all be done in radcheck/radgroupcheck perhaps (sql)huntgroups as well.
To which server do i proxy authentication request?
This is probaly stored in user sql entry? You will probably need to use unlang switch statement to set Proxy-To-Realm attribute. Create realms for authentication servers in proxy.conf.
Access-Request packet sent to authentication server (OTP system). Is User-name/User-Password ok?
Authentication server responds: Access-Accept/Reject. If Access-Accept. Reply goes to FreeRadius.
That will all work by default.
FreeRadius checks with SQL. What Reply attributes to send to NAS/AAA-client. IETF (attribute 25, Class). etc..
That can be sorted in post-auth or post-proxy section. You can list sql.authorize there and get reply attributes at that stage. Ivan Kalik Kalik Informatika ISP