Bridging RADIUS Servers

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 19 09:54:04 CET 2006


Jack Jackson wrote:
> Dear All-
> 
> Excuse my ignorance.  Our company uses RADIUS today for network (802.1x) 
> authentication.  We're merging with another company who also uses RADIUS 
> for the same purpose.  Is there a config document which shows how I can 
> configure Free Radius to proxy 2 completely different, existing RADIUS 
> servers to authenticate users.
> 
> The idea is that if one existing RADIUS server doesn't contain user 
> information, a second RADIUS server can be queried for user info.  
> Failing both lookups, the user will be declined.

I don't believe there's any function in the FreeRadius proxy code to 
handle that.

Depending on the Auth-Type, it's a somewhat difficult thing to do; for 
example with many EAP types, you might not know the auth has failed 
(because the user doesn't exist or for any other reason) until after 
several Access-Request/Access-Challenge pairs have been sent, and it's 
too late to redirect the exchange by then.

> 
> I'd appreciate any helpful tips.

You will be far better off getting a list of users from the "other" 
server and using a map in "your" server - e.g.

authorize {
   preprocess
   users
   # other modules
}

users:

joeremote	Freeradius-Proxied-To := theremoteserverip

johnremote	Freeradius-Proxied-To := theremoteserverip

janelocal	User-Password := "foo"

There are lots of better ways of doing this - see rlm_passwd or the SQL 
modules, but you get the basic 
idea.http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list