Oliver Gorwits wrote:
I'd welcome some guidance on configuring FreeRADIUS (any version) to select a onward proxy server(s) based on a RADIUS request attribute, and not the username's realm.
In 2.1.7 and earlier, create a fake realm (e.g. foo.bar.baz), and fill out the normal home servers, pools, etc. Then do: authorize { ... update control { Proxy-To-Realm := "foo.bar.baz" } ... } In 2.1.8, you can skip creating the realm. Just create home servers, pools, and do: update control { Home-Server-Pool := "pool-name" }
The specific situation is that it would be useful to proxy based on the wireless SSID to which a user is authenticating. In our Cisco system, this information comes in via the Called-Station-Id attribute of the request packet.
See "man unlang" for generic instructions on creating policies. authorize { ... if (Called-Station-Id =~ /foo/) { update control { ... } } ... }
We're open to any kind of solution, including setting dummy realms, or using the rlm_perl module, but would appreciate any pointers you have, and details on the processing order within FreeRADIUS to make sure we set things up properly.
(Yes, it's also possible just to configure different RADIUS servers directly on the Cisco system per SSID, but we'd much prefer to have one RADIUS configuration there, and proxy onwards from FreeRADIUS.)
Yup. That's usually the safest solution, too. Alan DeKok.