Help mixing proxied and non-proxied auth mechanisms
Geoff Silver
geoff+freeradius at uslinux.net
Tue Mar 14 17:47:43 CET 2006
I'm hoping to simply my users file, and I'm hoping someone can help. Right
now I have something like the following.
users file:
---------
user01 Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
Connect-Info="OFFICE_NET"
user01 Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
Connect-Info="OFFICE_NET"
hints:
-----
DEFAULT User-Name =~ "^(.*)$"
Hint = "Port-%{request:Packet-Dst-Port}"
proxy.conf:
----------
proxy server {
synchronous = no
retry_delay = 5
retry_count = 1
dead_time = 300
default_fallback = yes
# enable post_proxy_authorize to get our local radius instance to
# send back the connect-info on successful auth
post_proxy_authorize = yes
}
realm PROXY_GW {
type = radius
authhost = 10.1.2.3:1812
secret = mys3kr1t
}
Basically, if "user01" connects on port 1812, all we do is the authorize step.
If they're in the users file, they get access. If not, they don't. If
"user01" connects on port 1645, we want to proxy their authentication to
another radius server, and we want to do authorization locally against this
file.
So, right now, for every huntgroup/connect-info pair, I have *two* entries in
the users file. One is for Port-1812, the other for Port-1645. So the
question of the hour is: Is there something nifty I can do to eliminate the
need for *two* nearly-identical entries for each user?
Thanks!
More information about the Freeradius-Users
mailing list