Hi Alan, Thanks for the quick reply. As I said, I'm quite inexperienced with Freeradius so I have a few followup questions below.
Frank Skovboel wrote:
I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do.
Pretty much anything is possible. :)
I imagine the flow is some thing like: 1) User from Company A tries to login 2) Company A's VPN sends a radius request to Freeradius 3) Freeradius looks at the Radius_client IP and finds the right AD.
See "man unlang"
Language seems straight forwards :-)
4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists.
if (Packet-Src-IP-Address == 1.2.3.4) { ldap_a } elsif (Packet-Src-IP-Address = 4.5.6.7) [ ldap_b }
Where would I place this (what file under which section?), and do I need to do some thing special to make sure it does not try to authenticate the user?
Configure two copies of the LDAP module. See raddb/modules/files for simple documentation on how this is done. Point ldap_a at the AD for company A, and ldap_b at the AD for company B.
5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius.
After the above config:
if (!notfound) { reject } ... else proxy it ...
Where can I read about the response codes that I can expect on "found user" and "user not found" ? "else proxy it" is that about using update control ? -- Thanks, Frank