Hey Alan, On Thu, Oct 13, 2022 at 6:18 PM Alan DeKok <aland@deployingradius.com> wrote:
On Oct 13, 2022, at 5:22 PM, Matt Zagrabelny via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I'm standing up a new RADIUS server that needs to proxy requests to both single and two factor RADIUS systems. I am looking for some feedback on my design.
I'd like the option to configure local clients to either single factor or two factor auth.
OK.
The proxy server I set up could listen on 1812 and 1814. Clients that need/want single factor auth will request to 1812 and clients that need/want two factor auth will request to 1814. With corresponding acct listening on 1813 and 1815.
Is this sensible? Are there any standard FR configurations for working with clients to proxy to different RADIUS servers?
You don't need different ports. You can just put the clients into a group. You can use a DB, or add extra information to the "client" section:
client foo { ipaddr = ...
group = group1 }
client bar { ipaddr = ...
group = group2 }
and then do:
if ("%{client:group}" == "group1") { ... proxy to server1 } elsif ("%{client:group}" == "group2") { ... proxy to server2 }
Cool. I suppose I was overengineering the design thinking that there might be more than one application on a host where app1 wants single factor auth and app2 wants two factor auth. That probably isn't a likely scenario. So... thank you for the sensible design! -m