Hello: We want to design an AAA system with the following requisites: COMPONENTS THAT WE HAVE: A) NAS(es) B) freeradius frontend C) authenticators WHAT WE CAN DO IS: 1. The NAS send a radius "access-request" to the radius frontend. In the packet there is a username (in username@group) syntax and a password. 2. The frontend MUST decide the authentication method and the authenticator machine based ONLY in the group (string AFTER the @). 3. The frontend sends user and password (note that NOT user@group) to the authenticator machine (maybe another radius, ldap, mysql, ...). 4. Then authenticator machine answer's to the frontend only with "OK" or "NOT OK". 5. If "OK" from step(4), then the freeradius answer's the NAS with "access granted" and some attributes extracted from the "group" (ip pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @). NOTE THAT: - The unique function of the authenticators is saying "OK" if the username and passwd are correct or "NOT OK" if not. - NO USERS are defined in the radius frontend (only GROUPS with their respective attributes). Is there any "intelligent" way of acomplishing this design with freeradius? Thanks in advance and best regards
On Sat 23 Sep 2006 13:41, srg krn wrote:
Hello:
We want to design an AAA system with the following requisites:
COMPONENTS THAT WE HAVE: A) NAS(es) B) freeradius frontend C) authenticators
WHAT WE CAN DO IS: 1. The NAS send a radius "access-request" to the radius frontend. In the packet there is a username (in username@group) syntax and a password. 2. The frontend MUST decide the authentication method and the authenticator machine based ONLY in the group (string AFTER the @). 3. The frontend sends user and password (note that NOT user@group) to the authenticator machine (maybe another radius, ldap, mysql, ...). 4. Then authenticator machine answer's to the frontend only with "OK" or "NOT OK". 5. If "OK" from step(4), then the freeradius answer's the NAS with "access granted" and some attributes extracted from the "group" (ip pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
NOTE THAT: - The unique function of the authenticators is saying "OK" if the username and passwd are correct or "NOT OK" if not. - NO USERS are defined in the radius frontend (only GROUPS with their respective attributes).
Is there any "intelligent" way of acomplishing this design with freeradius?
Yes. Did you read the documentation? Start at: http://wiki.freeradius.org/Proxy -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Thanks a lot for your response. About your question... Yes I did.
From the doc at http://wiki.freeradius.org/Proxy : "It is possible to use FreeRADIUS as a proxy RADIUS server. This means that it can consult a remote RADIUS server to validate a user."
We need that the "remote RADIUS that validates the user" can be a radius OR LDAP OR MYSQL OR ... (point 3 of my question). Thanks and best regards On 9/23/06, Peter Nixon <listuser@peternixon.net> wrote:
On Sat 23 Sep 2006 13:41, srg krn wrote:
Hello:
We want to design an AAA system with the following requisites:
COMPONENTS THAT WE HAVE: A) NAS(es) B) freeradius frontend C) authenticators
WHAT WE CAN DO IS: 1. The NAS send a radius "access-request" to the radius frontend. In the packet there is a username (in username@group) syntax and a password. 2. The frontend MUST decide the authentication method and the authenticator machine based ONLY in the group (string AFTER the @). 3. The frontend sends user and password (note that NOT user@group) to the authenticator machine (maybe another radius, ldap, mysql, ...). 4. Then authenticator machine answer's to the frontend only with "OK" or "NOT OK". 5. If "OK" from step(4), then the freeradius answer's the NAS with "access granted" and some attributes extracted from the "group" (ip pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
NOTE THAT: - The unique function of the authenticators is saying "OK" if the username and passwd are correct or "NOT OK" if not. - NO USERS are defined in the radius frontend (only GROUPS with their respective attributes).
Is there any "intelligent" way of acomplishing this design with freeradius?
Yes. Did you read the documentation?
Start at: http://wiki.freeradius.org/Proxy
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat 23 Sep 2006 15:57, srg krn wrote:
Thanks a lot for your response. About your question... Yes I did.
From the doc at http://wiki.freeradius.org/Proxy :
"It is possible to use FreeRADIUS as a proxy RADIUS server. This means that it can consult a remote RADIUS server to validate a user."
We need that the "remote RADIUS that validates the user" can be a radius OR LDAP OR MYSQL OR ... (point 3 of my question).
Yes. This is possible also. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Again, thanks for your response. How can we use different authenticators (ldap, radius, mysql, ...) ? Thanks and best regards On 9/23/06, Peter Nixon <listuser@peternixon.net> wrote:
On Sat 23 Sep 2006 15:57, srg krn wrote:
Thanks a lot for your response. About your question... Yes I did.
From the doc at http://wiki.freeradius.org/Proxy :
"It is possible to use FreeRADIUS as a proxy RADIUS server. This means that it can consult a remote RADIUS server to validate a user."
We need that the "remote RADIUS that validates the user" can be a radius OR LDAP OR MYSQL OR ... (point 3 of my question).
Yes. This is possible also.
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat 23 Sep 2006 19:32, srg krn wrote:
Again, thanks for your response.
How can we use different authenticators (ldap, radius, mysql, ...) ?
Have you read the docs on ldap and sql? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
participants (2)
-
Peter Nixon -
srg krn