----- On Jun 30, 2021, at 3:14 PM, Alan DeKok aland@deployingradius.com wrote:
TBH, for b1 and b2, I would just create two VMs, one for each system. That way you can create a "base" VM with FreeRADIUS, Samba, etc. You can then customize this VM with individual rules for each AD domain, and for each set of users.
Yes, that would significantly simplify the setup, have one for each AD winbind and/or LDAP on that AD.. So basically each backend method (aka winbind and ldap) needs a separate server otherwise it's hard to distinguish between requests or can you differentiate regarding which client sends the request? Separate servers seem cleaner..
2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu auth b1, 2) @student.edu auth b2, @anything_else delegate. Where should this actually be done? In a server configuration or in proxy.conf or where?
In proxy.conf. There's documentation for Eduroam on http://wiki.freeradius.org
I've read this. There is one thing I'm not quite sure how to do - I go with two VMs for each AD, in the eduroam example the VLANs get assigned in post-auth for only two cases - home user or foreign user and that gets defined by checking &control:Proxy-To-Realm. I'd need to have 3 setups - staff/student/other and in my case *student would also fall into &control:Proxy-To-Realm group as it'd have to be proxied to the other VM. Should I just define a new var in authorize section or hijack an unused one (like request:Operator-Name) and check&assign by this value?
Welcome to RADIUS. :( It's horribly complex, because people want to do horribly complex things.
Yes, one does get the there-be-dragons feeling at first ;-) But it's getting much clearer now (there-might-only-be-frogs ;-) Thanks a lot for the pointers! Cheers, Jure