On Jan 11, 2019, at 2:42 AM, R3DNano <r3dnano@gmail.com> wrote:
Thanks for your kind reply, Alan, it's been really helpful.
Good.
Forgive me if I'm being too dense here, but if I understand you correctly, you mean a good approach would be to create one virtual server per each client (at the end of the day you don't have that many ones, but sure their authentication methods might differ considerably between one and another),
If the policies are completely different (VPN, WiFi, etc.), yes.
set non-standard ports on each of them to listen to (since two virtual servers can't listen on the same port)
No. Please read the documentation I told you to read. It describes how different clients can use different virtual servers. That's why I asked you to read the documentation. raddb/sites-available/README See section 5. This is *extensively* documented.
and inside each server's authorize section, implement the unlang logic to use the correct authentication sources?
Treat each virtual server as completely independent. And put all of the rules for VPN into the VPN virtual server. In this situation, you can simplify the virtual servers to use *only* the necessary policies. I've had good luck with creating virtual servers that are ~30 lines for each of authorize && authenticate. Once the *requirements* are minimized, the *implementation* can also be minimized. Alan DeKok.