I have a VPN appliance authenticating users (~20 users) against my freeradius server. I have another radius server running on a windows box authenticating users on local and trusted domains (250+ users). For technical reasons I can't point the VPN appliance to the windows radius server. However, I'm setting up a proxy on the freeradius server to redirect auth requests to the windows radius server (to authenticate VPN users with active directory). The problem now is all 250+ users can essentially authenticate on the VPN. I'm wondering if there is a way to control which users (the ~20 users) in freeradius can be proxied to the windows radius server? Almost like a list of valid proxy users? Josh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Easier - create a policy in IAS to only authorise the users you want. josh. Josh wrote:
I have a VPN appliance authenticating users (~20 users) against my freeradius server. I have another radius server running on a windows box authenticating users on local and trusted domains (250+ users). For technical reasons I can't point the VPN appliance to the windows radius server. However, I'm setting up a proxy on the freeradius server to redirect auth requests to the windows radius server (to authenticate VPN users with active directory). The problem now is all 250+ users can essentially authenticate on the VPN. I'm wondering if there is a way to control which users (the ~20 users) in freeradius can be proxied to the windows radius server? Almost like a list of valid proxy users?
Josh
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your suggestion... I'm actually running Funk (Juniper) Steel-Belted Radius on the windows box. I'm working out issues with the user profiles on that box... I was hoping to let freeradius take care of who had access to proxy (if possible). Any other possibilities? --- Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
Easier - create a policy in IAS to only authorise the users you want.
josh.
Josh wrote:
I have a VPN appliance authenticating users (~20 users) against my freeradius server. I have another radius server running on a windows box authenticating users on local and trusted domains (250+ users). For technical reasons I can't point the VPN appliance to the windows radius server. However, I'm setting up a proxy on the freeradius server to redirect auth requests to the windows radius server (to authenticate VPN users with active directory). The problem now is all 250+ users can essentially authenticate on the VPN. I'm wondering if there is a way to control which users (the ~20 users) in freeradius can be proxied to the windows radius server? Almost like a list of valid proxy users?
Josh
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Josh <josh2780@yahoo.com> wrote:
I'm actually running Funk (Juniper) Steel-Belted Radius on the windows box. I'm working out issues with the user profiles on that box... I was hoping to let freeradius take care of who had access to proxy (if possible).
"man rlm_passwd" Put the users into a group, and for people not in the "VPN" group, disallow them access to the VPN. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I've ported all my freeradius user files/info to mysql. I have a groups setup with a few users in each. However, when I attempt to login to the VPN freeradius debug shows the proxy to the SBR server. SBR returns an access-accept message and the user is logged into the VPN. Uh oh - the user I attempted to login with was not listed in radcheck or usergroup. What do I need to do to have freeradius reject the auth request (even if the proxied SBR reponse was access-accept) if the user isn't part of a 'VPN' group? --- Alan DeKok <aland@deployingradius.com> wrote:
Josh <josh2780@yahoo.com> wrote:
I'm actually running Funk (Juniper) Steel-Belted Radius on the windows box. I'm working out issues with the user profiles on that box... I was hoping to let freeradius take care of who had access to proxy (if possible).
"man rlm_passwd"
Put the users into a group, and for people not in the "VPN" group, disallow them access to the VPN.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (3)
-
Alan DeKok -
Josh -
Josh Howlett