Questions about FreeRadius proxy
Hi all, I am new in FreeRadius and I hope someone can kindly help me. I have several questions: Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy server. I know Realm can do it but I found that to use Realm, the user needs to append the domain @xxx.com (i.e. user01@xxx.com) at the end. Is it true? Can I skip the domain @xxx.com? (i.e. user just type the username [user01] and the FreeRadius can proxy to another RADIUS server). Q2) Can I setup a table in the FreeRadius server with username only so that when the Application server request for authentication, the FreeRadius will proxy to another RADIUS server only if the username is listed in the table? Q3) If Q2 is feasible, can I have several Application Servers and I limit the users from the Application servers? i.e. If user01 login Appliation server1, Application Server1 request the FreeRadius server. The FreeRaidus server check the user01 is belongs to Application Server1 group and it proxy the request to another RADIUS server. Application Server1 - user01 - user02 Application Server2 - user03 - user04 Any suggestions are welcome. Sorry for so many questions. Regards, Dovelet -- View this message in context: http://www.nabble.com/Questions-about-FreeRadius-proxy-t1297096.html#a345360... Sent from the FreeRadius - User forum at Nabble.com.
Dovelet wrote:
Hi all,
I am new in FreeRadius and I hope someone can kindly help me. I have several questions:
Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy server. I know Realm can do it but I found that to use Realm, the user needs to append the domain @xxx.com (i.e. user01@xxx.com) at the end. Is it true? Can I skip the domain @xxx.com? (i.e. user just type the username [user01] and the FreeRadius can proxy to another RADIUS server).
Yes, see the NULL entry in proxy.conf and set "ignore_null = no" on the LAST one of any "realm blah" entries in radiusd.conf. Or, add an entry to the users file setting Proxy-To-Realm (see below):
Q2) Can I setup a table in the FreeRadius server with username only so that when the Application server request for authentication, the FreeRadius will proxy to another RADIUS server only if the username is listed in the table?
Yes, try this: modules passwd userValid { file = /etc/raddb/validusers format = "*User-Name:~Group" } } authorize { preprocess userValid # other modules users # other modules } /etc/raddb/validusers: user01:appserver1 user02:appserver1 user03:appserver2 user04:appserver2 /etc/raddb/users # user must be in one group DEFAULT Group !* ANY, Auth-Type := Reject # If not using NULL realm DEFAULT Proxy-To-Realm := "REALMNAME"
Q3) If Q2 is feasible, can I have several Application Servers and I limit the users from the Application servers? i.e. If user01 login Appliation server1, Application Server1 request the FreeRadius server. The FreeRaidus server check the user01 is belongs to Application Server1 group and it proxy the request to another RADIUS server.
Application Server1 - user01 - user02
Application Server2 - user03 - user04
Yes, see posts on just this topic (though not obviously so) a couple of days ago: http://lists.freeradius.org/pipermail/freeradius-users/2006-March/051600.htm... Just out of curiosity, what is your app and upstream radius server?
Hi Phil Mayers, Thank you of your reply. Do you mean the append the following into the radius.conf or other files? I cannot start the radiusd after I append them into the radius.conf file. Sorry, I am really new in FreeRadius. Thanks. ------------------------------------------------------- modules passwd userValid { file = /etc/raddb/validusers format = "*User-Name:~Group" } } authorize { preprocess userValid # other modules users # other modules } ------------------------------------------------------- -- View this message in context: http://www.nabble.com/Questions-about-FreeRadius-proxy-t1297096.html#a352690... Sent from the FreeRadius - User forum at Nabble.com.
Dovelet wrote:
Hi Phil Mayers,
Thank you of your reply. Do you mean the append the following into the radius.conf or other files? I cannot start the radiusd after I append them into the radius.conf file. Sorry, I am really new in FreeRadius. Thanks.
The entries listed are partial config fragments. Certainly appending them won't work. You need to open up the radiusd.conf and go to the section specified and merge them in: # many # lines # of # config modules { # some # stuff # here # already # ADD THIS passwd userValid { file = /etc/raddb/validusers format = "*User-Name:~Group" } # probably some more stuff as well } authorize { preprocess # other # modules # ADD THIS userValid # "users" must come after users # maybe more modules } # rest # of # config # file The config file is quite liberally commented - if you spend some time reading the default config, it should be quite obvious. HTH
Dovelet <doveletchan@yahoo.com.hk> wrote:
Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy server. I know Realm can do it but I found that to use Realm, the user needs to append the domain @xxx.com (i.e. user01@xxx.com) at the end. Is it true?
No. You can have default realms. Read the docs & config files.
Q2) Can I setup a table in the FreeRadius server with username only so that when the Application server request for authentication, the FreeRadius will proxy to another RADIUS server only if the username is listed in the table?
Yes. See rlm_passwd.
Q3) If Q2 is feasible, can I have several Application Servers and I limit the users from the Application servers? i.e. If user01 login Appliation server1, Application Server1 request the FreeRadius server. The FreeRaidus server check the user01 is belongs to Application Server1 group and it proxy the request to another RADIUS server.
Yes. rlm_passwd can do this. Alan DeKok.
participants (3)
-
Alan DeKok -
Dovelet -
Phil Mayers