2 servers - frontend + backend: auth + attributes
Hello! I want to implement next scheme (PAP protocol, FreeRADIUS 3.0.27): client sends request to frontend server , frontend server authenticates user , frontend server sends request to backend server, backend server authenticates user and adds attributes, frontend server returns extra attributes to client. It seems frontend server can proxy request after authorization, so the part with authentication on frontend server is missed. Is it possible to implement this approach? Regards Andrei
On Sep 26, 2025, at 2:48 AM, Andrei Katsuk <steep8@gmail.com> wrote:
Hello! I want to implement next scheme (PAP protocol, FreeRADIUS 3.0.27): client sends request to frontend server , frontend server authenticates user , frontend server sends request to backend server, backend server authenticates user and adds attributes, frontend server returns extra attributes to client.
Why? If the front end authenticates the user, the back end can just assume that the user has been authenticated. It doesn't need to re-authenticate the user. Alan DeKok.
Why? If the front end authenticates the user, the back end can just assume that the user has been authenticated. It doesn't need to re-authenticate the user.
Alan DeKok.
Let me explain the configuration. Old configuration : Cisco ISE with RADIUS server which returns to client Cisco-AVPair for authorization by domain login/password. What I want: Add FreeRADIUS server for mfa authentication. The first attempt: Add FreeRADIUS (3.0.27) as proxy (frontend) (which should provide mfa authentication) to Cisco ISE (backend) which should still return Cisco-AVPair for authorization by domain login/password. Obstacles : It seems FreeRADIUS proxies request after authorization section and skips authentications section. So is it possible to implement such a configuration or should I think about a different approach ? Regards, Andrei
On Sep 29, 2025, at 12:15 AM, Andrei Katsuk <steep8@gmail.com> wrote:
Let me explain the configuration. Old configuration : Cisco ISE with RADIUS server which returns to client Cisco-AVPair for authorization by domain login/password. What I want: Add FreeRADIUS server for mfa authentication. The first attempt: Add FreeRADIUS (3.0.27) as proxy (frontend) (which should provide mfa authentication)
How? Details matter. It's difficult to answer a question which is basically "I want to do things". The more details you provide, the better the answer will be.
to Cisco ISE (backend) which should still return Cisco-AVPair for authorization by domain login/password. Obstacles : It seems FreeRADIUS proxies request after authorization section and skips authentications section. So is it possible to implement such a configuration or should I think about a different approach ?
It's possible. How? That depends on what you want to do. If you go through the documentation, it documents everything you need to put together a solution. Or, give a clear and complete description of the problem. What do mean by MFA? What comes in the packet? How does FreeRADIUS verify the MFA / password? If you describe the problem in detail, it is possible to give a detailed solution. If the description is vague and incomplete, then any help will necessarily be vague and incomplete. Alan DeKok.
How? That depends on what you want to do.
If you go through the documentation, it documents everything you need to put together a solution.
Or, give a clear and complete description of the problem. What do mean by MFA? What comes in the packet? How does FreeRADIUS verify the MFA / password?
If you describe the problem in detail, it is possible to give a detailed solution. If the description is vague and incomplete, then any help will necessarily be vague and incomplete.
These are good questions, What comes in the packet? It is PAP protocol - so Access-Request contains User-Name / User-Password
What do mean by MFA? It is under another investigation. For now it is password + otp . It may be one string password&otp or separate 2FA : password/otp
How does FreeRADIUS verify the MFA / password? I expect that rlm_rest module with backend server will check otp or even password + otp
If you go through the documentation, it documents everything you need to put together a solution. For now I'm stuck a bit with Proxy, which activates in the authorize section and skips authenticate section. It seems that verifying password&otp in other sections (except the authenticate section) does not allow us to follow the FreeRADIUS design flow.
On Sep 30, 2025, at 1:09 AM, Andrei Katsuk <steep8@gmail.com> wrote:
It is PAP protocol - so Access-Request contains User-Name / User-Password
OK...
What do mean by MFA? It is under another investigation. For now it is password + otp . It may be one string password&otp or separate 2FA : password/otp
You'll have to decide which one it is before building a solution.
How does FreeRADIUS verify the MFA / password? I expect that rlm_rest module with backend server will check otp or even password + otp
Then you can do that today. Just have the REST module check the password in the authorize section. Then if it fails, reject the request. After checking the password in REST, you can then tell the server to proxy the packet.
If you go through the documentation, it documents everything you need to put together a solution. For now I'm stuck a bit with Proxy, which activates in the authorize section and skips authenticate section.
You don't need to run the REST module in the authenticate section.
It seems that verifying password&otp in other sections (except the authenticate section) does not allow us to follow the FreeRADIUS design flow.
You can run a module method from a different section by using the section name. This is documented. authorize { ... rest.authenticate # runs the "authenticate" method of the "rest" module } Alan DeKok.
Currently it is decided to swap FreeRADIUS and Cisco ISE. Cisco ISE works as authorization frontend and RADIUS Proxy (where external RADIUS Token Server is configured) , FreeRADIUS works as authentication backend. This configuration works well.
participants (2)
-
Alan DeKok -
Andrei Katsuk