one RADIUS server per realm setup

Wm. Josiah Erikson wjerikson at hampshire.edu
Wed Jan 23 16:33:17 CET 2008 

Hello all,
    We are trying to set up a cross-auth proxy setup between our five 
RADIUS servers in different realms at five different institutions, so 
that any active student, staff, or faculty from any of our institutions 
can go to any of the other institutions and log onto the network. This 
means that if a user from institution B comes to my institution, I want 
my RADIUS server to ask the RADIUS server over at institution B instead 
of using the local setup.
    I've gotten much of it working, both authorizing and authenticating 
against our LDAP database here, but something about the authorization 
step is unclear to me. At the moment, I have it set up so that if I get 
a login request, it checks to see if the user is a member of the correct 
group(s) (authorization), and THEN authenticates the user, checking the 
realm to see where it should send the request for authentication. This 
all works very well, except that the authorization step only works if 
the user is one of MY users. If the user is one of the other 
four-college users, then the authorization step fails (since the user 
doesn't exists in my LDAP database) and the user is rejected. So I think 
I need to do one of three things:

    1. Proxy authorization as well - it's not clear how to do this. Can 
you? I'd really just like to forward the entire request elsewhere, 
before anything else happens, so I'd like to check the realm FIRST, and 
not do anything if it's not a local realm.
    2. Skip authorization entirely unless the user is a member of a 
specific realm. Again, it's not clear to me how to do this. Any ideas?

    3. something else I haven't thought of yet.

    This must be something other people do too, yes? We'd like to be 
able to do the authorization step, because I don't want, for instance, 
alumns or guest users, (who are in the LDAP database) to be able to log in.

    I'm currently using freeradius 1.0.2, but I can upgrade if I need to.

    Thanks for any help, and if more info is needed, just ask!

-- 
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091

More information about the Freeradius-Users mailing list