one RADIUS server per realm setup

Wm. Josiah Erikson wjerikson at hampshire.edu
Wed Jan 23 19:52:10 CET 2008 

I had to log onto the website to see Alan's reply for some reason (I 
think I need to adjust my spam filters) - thanks for that! So I'm 
replying to my original message instead of to Alan's.

Alan says proxying does this for me, but in fact it doesn't (in my old 
version anyway). proxying seems to work only for authentication and not 
for authorization. Yes, we are trying to copy what eduroam does, for the 
most part.

I'll try upgrading my version, since I'm so painfully behind, and 
hopefully it will work as described. Thanks!

    -Josiah



Wm. Josiah Erikson wrote:
> Hello all,
>    We are trying to set up a cross-auth proxy setup between our five 
> RADIUS servers in different realms at five different institutions, so 
> that any active student, staff, or faculty from any of our 
> institutions can go to any of the other institutions and log onto the 
> network. This means that if a user from institution B comes to my 
> institution, I want my RADIUS server to ask the RADIUS server over at 
> institution B instead of using the local setup.
>    I've gotten much of it working, both authorizing and authenticating 
> against our LDAP database here, but something about the authorization 
> step is unclear to me. At the moment, I have it set up so that if I 
> get a login request, it checks to see if the user is a member of the 
> correct group(s) (authorization), and THEN authenticates the user, 
> checking the realm to see where it should send the request for 
> authentication. This all works very well, except that the 
> authorization step only works if the user is one of MY users. If the 
> user is one of the other four-college users, then the authorization 
> step fails (since the user doesn't exists in my LDAP database) and the 
> user is rejected. So I think I need to do one of three things:
>
>    1. Proxy authorization as well - it's not clear how to do this. Can 
> you? I'd really just like to forward the entire request elsewhere, 
> before anything else happens, so I'd like to check the realm FIRST, 
> and not do anything if it's not a local realm.
>    2. Skip authorization entirely unless the user is a member of a 
> specific realm. Again, it's not clear to me how to do this. Any ideas?
>
>    3. something else I haven't thought of yet.
>
>    This must be something other people do too, yes? We'd like to be 
> able to do the authorization step, because I don't want, for instance, 
> alumns or guest users, (who are in the LDAP database) to be able to 
> log in.
>
>    I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
>
>    Thanks for any help, and if more info is needed, just ask!
>

-- 
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091

More information about the Freeradius-Users mailing list