Authentication type (ldap, users, etc) per client or user?

Alan DeKok aland at deployingradius.com
Fri Jan 4 10:50:30 CET 2008


falz wrote:
> This would technically get things working, but poses a security issue.
> I want to have clients associated with backends. The above example
> appears that it will simply give priority of one authentication source
> over the other, which isn't what I'm trying to do.

  You can use Autz-Type to get what you want, but it's more complicated.

> I'll look into 2.0 if this is the only way to get this functionality.

  It's not the only way, but it's *much* easier in 2.0.  You just put an
entry in the "client" configuration saying "virtual_server = foo", and
all requests get processed through "foo".

> No, I did not remove the files section. It is called, and loaded per
> my output in the previous email.

  It's not listed in the debug output you posted.  So it's not being called.

> Looking through the docs, it appears that Autz-Type gives indications
> of what I am trying to do:
> 
> http://www.freeradius.org/radiusd/doc/Autz-Type

  Yes.  It may require running two copies of the "files" module, which
is more complicated.

> I will experiment with it and some syntax, and chime back in when I
> get things working for future reference for other users (and for me,
> if I neglect to document it myself :)

  In 2.0:

client a {
	ipaddr = 1.2.3.4
	...
	virtual_server = foo
}

client b {
	ipaddr = 5.6.7.8
	...
	virtual_server = bar
}

server foo {
	authorize {
		users
		...
	}
	...
}

server bar {
	authorize {
		ldap
		...
	}
	...
}


  It's more typing to set up, but it's significantly easier to
understand and to maintain.  It means that there are fewer possibilities
for something to go wrong, too.

  Alan DeKok.



More information about the Freeradius-Users mailing list