one RADIUS server per realm setup
Wm. Josiah Erikson
wjerikson at hampshire.edu
Thu Jan 24 21:38:03 CET 2008
Hi,
I'm the guy that's trying to kinda duplicate eduroam, if you
remember - I had an outdated server and Alan recommended I update to
v2.0.1, which I have now done.
I've gotten this working (after updating my server and building
freeradius packages for it) - in 2.0.1, when I uncommented the "IPASS"
option in the authorize section, which says:
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
which is exactly what I wanted, and it seems to do what I want now -
when it finds a non-local realm, it no longer tries to authorize
locally. Good. Everything is peachy.
However... question. It says in radiusd.conf:
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :) I'm only
doing it because I wanted to reject or accept local users based on
groups, so I have the following in radiusd.conf:
groupname_attribute = gidNumber
groupmembership_filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name}))"
and then the following in users:
# Allow Students
DEFAULT Ldap-Group == "200", Auth-Type := LDAP
# ...and Staff
DEFAULT Ldap-Group == "250", Auth-Type := LDAP
# ...and Faculty
DEFAULT Ldap-Group == "300", Auth-Type := LDAP
# ...and nobody else!
DEFAULT Auth-Type := Reject
Reply-Message = "Only current faculty, staff or students
are allowed to log in."
It seems to do what I want. We don't store the group name in the LDAP
user entry, so I'm using the gid, which works fine.
However, is there a better way to do this that I'm not understanding?
Why shouldn't I set Auth-Type := LDAP ?
Thanks so much! I'm just trying to pay attention to the documentation,
which tells me very strongly not to do exactly what I'm doing, even
though it really seems to work.
-Josiah
A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>
>> 1. Proxy authorization as well - it's not clear how to do this. Can you?
>> I'd really just like to forward the entire request elsewhere, before
>> anything else happens, so I'd like to check the realm FIRST, and not do
>> anything if it's not a local realm.
>>
>
> yes, thats exactly what you do proxy stuff for - you'll define your
> local realm, and null realm etc. you then define the realms and the
> RADIUS server address for each of those realms. the requests
> then get proxied to the remote systems.
>
> its similar to what we do with eduroam in europe - and myself with
> JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming
>
>
>> I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
>>
>
> definately upgrade -> 2.0.1 the proxy stuff is soo much better
> (failovers, dead timers, status requests etc)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091
More information about the Freeradius-Users
mailing list