forward authentication, but take reply attributes from local db
Hello! Lets say i have primary radius server with users in file. And i also have secondary one, with the same users (logins and passwords are the same). How do i forward/proxy access-request from primary to secondary and in case it sends back access-accept to primary - it takes user attributes from local database (of primary). No just return to NAS what secondary gave me, but rewrite it according to local config. The main goal of secondary - just either accept or reject user. is it even possible?
On Apr 15, 2015, at 10:57 AM, Vld <ponch@ponch.ru> wrote:
Lets say i have primary radius server with users in file. And i also have secondary one, with the same users (logins and passwords are the same).
OK.
How do i forward/proxy access-request from primary to secondary and in case it sends back access-accept to primary - it takes user attributes from local database (of primary). No just return to NAS what secondary gave me, but rewrite it according to local config.
You can re-write attributes in the post-proxy stage. That's what it's for. By default, the server uses the reply from the home server as the reply to the NAS. If you want that changed, you'll need to change configuration. Put the reply attributes into the post-proxy section, that should work.
The main goal of secondary - just either accept or reject user.
is it even possible?
Yes. Alan DeKok.
Thanks, Alan! its amazing, how flexible freeradius is) В Wed, 15 Apr 2015 11:15:26 -0400 Alan DeKok <aland@deployingradius.com> пишет:
On Apr 15, 2015, at 10:57 AM, Vld <ponch@ponch.ru> wrote:
Lets say i have primary radius server with users in file. And i also have secondary one, with the same users (logins and passwords are the same).
OK.
How do i forward/proxy access-request from primary to secondary and in case it sends back access-accept to primary - it takes user attributes from local database (of primary). No just return to NAS what secondary gave me, but rewrite it according to local config.
You can re-write attributes in the post-proxy stage. That's what it's for.
By default, the server uses the reply from the home server as the reply to the NAS. If you want that changed, you'll need to change configuration.
Put the reply attributes into the post-proxy section, that should work.
The main goal of secondary - just either accept or reject user.
is it even possible?
Yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
btw, i knew i can modify reply in post_proxy. I use perl module for that. What i could not find out is how do i pull attributes from localy configured user with the same user-name and replace reply with it. В Wed, 15 Apr 2015 11:15:26 -0400 Alan DeKok <aland@deployingradius.com> пишет:
On Apr 15, 2015, at 10:57 AM, Vld <ponch@ponch.ru> wrote:
Lets say i have primary radius server with users in file. And i also have secondary one, with the same users (logins and passwords are the same).
OK.
How do i forward/proxy access-request from primary to secondary and in case it sends back access-accept to primary - it takes user attributes from local database (of primary). No just return to NAS what secondary gave me, but rewrite it according to local config.
You can re-write attributes in the post-proxy stage. That's what it's for.
By default, the server uses the reply from the home server as the reply to the NAS. If you want that changed, you'll need to change configuration.
Put the reply attributes into the post-proxy section, that should work.
The main goal of secondary - just either accept or reject user.
is it even possible?
Yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 16, 2015, at 8:55 AM, Vlad <ponch@ponch.ru> wrote:
btw, i knew i can modify reply in post_proxy. I use perl module for that. What i could not find out is how do i pull attributes from localy configured user with the same user-name and replace reply with it.
The point is that anything you can do in the "authorize" section you can do in the "post-proxy" section. Just put the local attributes for each user into the post-proxy section. You can even put "files.authorize" into the "post-proxy" section. It will run the normal "users" file then, too. Alan DeKok.
participants (3)
-
Alan DeKok -
Vlad -
Vld