Hi Guys, Wondeirng if you can help, I have a scenario where I have two servers running Freeradius, one is setup using MYSQL and is working fine and the other is doing OTP and is a remote server. I would like to pass on the Auth part of this to the OTP server. E.g. if a request comes in to server 1 it will do radcheck against username only, it will then forward the request on to server two that will have the same username and then check its password and OTP, The OTP radius server will send an accept accept ONLY. The original server running MYSQL will then add the rad reply / radgroup reply items / AVP's to the reply. Main reason is I can keep the OTP server as just doing OTP and have multiple instances of Freeradius setup to essentially point the requests to the OTP server if they need / Want to. The original server can then have control of the rad replies to send to the client (Mainly VPN clients). It is possible on the OTP server alone however its very messy and to implement with MYSQL isn't exactly straight forward. Any pointers on this would be great e.g. how / what I need to look into. I have had a look at proxying rad requests but from what I can understand the original server cannot update the reply or if it can where I would do this. CHeers !!
On Wed, May 24, 2017 at 10:55:50AM +0100, David Brierley wrote:
I would like to pass on the Auth part of this to the OTP server. E.g. if a request comes in to server 1 it will do radcheck against username only, it will then forward the request on to server two that will have the same username and then check its password and OTP, The OTP radius server will send an accept accept ONLY.
This isn't going to be straightforward as when a request is going to be proxied it is passed through pre-proxy/post-proxy rather than authenticate. So you'll never hit authenticate on your first RADIUS server.
The original server running MYSQL will then add the rad reply / radgroup reply items / AVP's to the reply.
You can do this in post-proxy in theory.
Main reason is I can keep the OTP server as just doing OTP and have multiple instances of Freeradius setup to essentially point the requests to the OTP server if they need / Want to.
The original server can then have control of the rad replies to send to the client (Mainly VPN clients). It is possible on the OTP server alone however its very messy and to implement with MYSQL isn't exactly straight forward.
Maybe you can make the OTP component web-based and use rlm_rest on the RADIUS servers rather than proxying? Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
David Brierley -
Matthew Newton