Hello all I hope this question has been asked a dozen times before. I have the following idea to a setup that I want to ask this is even possible with a freeRadius server. The scenario is multiple customers with their own windows domain servers where I want to authenticate ciscp vpn clients against the users own active directory. Hardware setup is going to be something like this, Multiple Cisco vpn clients with a single point of entry -> Cisco 4500 -> Radius Server -> multiple windows domain servers.(not in any way trusted or connected to each other). 1. a vpn client contacts the cisco box 2. the ciscop box forwards the request to the radius server for authentication. 3. the radius server somehow proxies the request to the windows domain server 4. the domain server reports back an ok to the radius server? 5. the vpn tunnel is setup. What I can understand about freeRadius is that it is possible to proxy authentication requests to other radius servers depending on domain names and other fields. Is this correct? Is this type of setup even doable with a Radius Server and if so could anyone help me in the directions of some solid howto's as I'm fairly green working with radius servers. Hope someone has some input to this type of setup. Regards Christian
1. a vpn client contacts the cisco box 2. the ciscop box forwards the request to the radius server for authentication. 3. the radius server somehow proxies the request to the windows domain server 4. the domain server reports back an ok to the radius server? 5. the vpn tunnel is setup.
What I can understand about freeRadius is that it is possible to proxy authentication requests to other radius servers depending on domain names and other fields. Is this correct?
Yes
Is this type of setup even doable with a Radius Server and if so could anyone help me in the directions of some solid howto's as I'm fairly green working with radius servers.
It's not very hard at all. See the "proxy.conf" file in the distribution. Broadly speaking, assuming they are all logging in as "user@domain.com" you need: modules { # other modules realm suffix { format = suffix delimiter = '@' ignore_default = yes ignure_null = yes } } authorize { preprocess suffix } ...the in proxy.conf for each customer: realm domain.com { type = radius authhost = the.auth.server.domain.com:1812 accthost = the.acct.server.domain.com:1813 secret = TheRadiusSecret nostrip }
Hope someone has some input to this type of setup.
Regards Christian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Christian Ejlertsen -
Phil Mayers