one RADIUS server per realm setup

Wm. Josiah Erikson wjerikson at hampshire.edu
Thu Jan 24 21:38:03 CET 2008 

Hi,
    I'm the guy that's trying to kinda duplicate eduroam, if you 
remember - I had an outdated server and Alan recommended I update to 
v2.0.1, which I have now done.

I've gotten this working (after updating my server and building 
freeradius packages for it) - in 2.0.1, when I uncommented the "IPASS" 
option in the authorize section, which says:

        #  Look for IPASS style 'realm/', and if not found, look for
        #  '@realm', and decide whether or not to proxy, based on
        #  that.

which is exactly what I wanted, and it seems to do what I want now - 
when it finds a non-local realm, it no longer tries to authorize 
locally. Good. Everything is peachy.

However... question. It says in radiusd.conf:

        #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
        #  really can't emphasize this enough.

Uh. OK. That's exactly what I'm doing, and it's working :) I'm only 
doing it because I wanted to reject or accept local users based on 
groups, so I have the following in radiusd.conf:

                groupname_attribute = gidNumber
                groupmembership_filter = 
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name}))"

and then the following in users:

# Allow Students
DEFAULT Ldap-Group == "200", Auth-Type := LDAP

# ...and Staff
DEFAULT Ldap-Group == "250", Auth-Type := LDAP

# ...and Faculty
DEFAULT Ldap-Group == "300", Auth-Type := LDAP

# ...and nobody else!
DEFAULT         Auth-Type := Reject
                Reply-Message = "Only current faculty, staff or students 
are allowed to log in."


It seems to do what I want. We don't store the group name in the LDAP 
user entry, so I'm using the gid, which works fine.

However, is there a better way to do this that I'm not understanding? 
Why shouldn't I set Auth-Type := LDAP ?

Thanks so much! I'm just trying to pay attention to the documentation, 
which tells me very strongly not to  do exactly what I'm doing, even 
though it really seems to work.

    -Josiah




A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>   
>>    1. Proxy authorization as well - it's not clear how to do this. Can you? 
>> I'd really just like to forward the entire request elsewhere, before 
>> anything else happens, so I'd like to check the realm FIRST, and not do 
>> anything if it's not a local realm.
>>     
>
> yes, thats exactly what you do proxy stuff for - you'll define your
> local realm, and null realm etc. you then define the realms and the
> RADIUS server address for each of those realms. the requests
> then get proxied to the remote systems.
>
> its similar to what we do with eduroam in europe - and myself with
> JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming
>
>   
>>    I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
>>     
>
> definately upgrade -> 2.0.1  the proxy stuff is soo much better
> (failovers, dead timers, status requests etc)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-- 
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091

More information about the Freeradius-Users mailing list