Bridging RADIUS Servers
Phil Mayers
p.mayers at imperial.ac.uk
Tue Dec 19 09:54:04 CET 2006
Jack Jackson wrote:
> Dear All-
>
> Excuse my ignorance. Our company uses RADIUS today for network (802.1x)
> authentication. We're merging with another company who also uses RADIUS
> for the same purpose. Is there a config document which shows how I can
> configure Free Radius to proxy 2 completely different, existing RADIUS
> servers to authenticate users.
>
> The idea is that if one existing RADIUS server doesn't contain user
> information, a second RADIUS server can be queried for user info.
> Failing both lookups, the user will be declined.
I don't believe there's any function in the FreeRadius proxy code to
handle that.
Depending on the Auth-Type, it's a somewhat difficult thing to do; for
example with many EAP types, you might not know the auth has failed
(because the user doesn't exist or for any other reason) until after
several Access-Request/Access-Challenge pairs have been sent, and it's
too late to redirect the exchange by then.
>
> I'd appreciate any helpful tips.
You will be far better off getting a list of users from the "other"
server and using a map in "your" server - e.g.
authorize {
preprocess
users
# other modules
}
users:
joeremote Freeradius-Proxied-To := theremoteserverip
johnremote Freeradius-Proxied-To := theremoteserverip
janelocal User-Password := "foo"
There are lots of better ways of doing this - see rlm_passwd or the SQL
modules, but you get the basic
idea.http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list