On Oct 12, 2023, at 5:35 AM, Pietro N. via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Our freeradius 3.2.1 for Eduroam (Radius2) receives requests from users in Active Directory (for example, SSID=staff-AD). We already have a primary Radius server (Radius1, different system) which usually handles the students' and staff requests (for example: SSID=students), which credentials are stored into the internal database.
How can I forward the requests arriving to freeradius from students (who tried to use SSID=staff-AD, being rejected by AD), forwarding them to Radius1? How can I forward the requests arriving to freeradius from SSID=students, forwarding them to Radius1?
If both SSIDs are the same, then the better approach is to just use one SSID. Then based on LDAP group lookups, put the users into a "staff" VLAN or a "student" VLAN. It's much simpler to configure, and much simpler to debug, test, and maintain. This SSID can even be the eduroam SSID: if (my domain) if (staff) put into staff vlan else put into student vlan else if check bad / malformed domain reject else proxy upstream to eduroam. Most policies aren't much more complex than that. There are still details to work out, of course. But by writing policies in simple pseudo-code as above, you've simplified the problem into creating and testing each individual line of pseudocode. Alan DeKok.