Using multiple auth methods, ports
Geoff Silver
geoff+freeradius at uslinux.net
Mon Feb 20 15:49:35 CET 2006
Hi Dusty,
Yeah, I had considered running two radiusd instances, actually, but it
felt less than ideal. Part of the problem is that our radius
infrastructure is spread across two dozen servers around the world, and
multiple radiusd's give us more moving parts (two /etc/raddb configs,
two sets of users files, two daemons to worry about, etc). We have some
tools to manage distribution of configs, users files, etc, but as-is
they would probably require significant changes. Hopefully I can make
freeradius do what I want... if not, I may end up taking your advice
;-) Thanks.
Dusty Doris wrote:
>> the request, which doesn't help me). The only thing the NAS can do
>> that is
>> "helpful" is send cert auth requests to a different UDP port than
>> regular
>> auth requests.
>
> Perhaps there are new features that can take care of this for you in
> one place, but if not, you can just run two radiusd instances. One
> for "oldschool" and one for cert.
>
> For example, say your raddb dir is in /etc/raddb now.
>
> You would create two subdirs of that directory
>
> mkdir /etc/raddb/oldschoool
> mkdir /etc/raddb/cert
>
> and perhaps for logging seperately as well
>
> mkdir /var/log/radius/oldschool
> mkdir /var/log/radius/cert
>
> cp all the files from raddb to the two directories.
>
> Modify the top of radiusd.conf to point to the new directories for
> raddbdir, confdir, logdir, etc.. Modify the listen or port arguments
> to make one listen on 1645 and the other on 1812.
>
> Then modify the rest of it, such as the users file, to do what you
> want for each seperate instance.
>
> Then modify your startup script to fire off two instances using the -d
> option, and make sure you get both instances as well no stop/restarts.
>
> eg:
>
> /pathto/radiusd -d /etc/raddb/oldschool
> /pathto/radiusd -d /etc/raddb/cert
>
> That will give you two seperate instances. One will be configured to
> only handle oldschool logins and the other to only handle certs. It
> will be another port/process you'll have to monitor, but it should
> give you what you want.
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list