Configuration Question

Rupert Finnigan rupert.finnigan at
Fri Sep 26 10:12:44 CEST 2008


This isn't a question about a problem, rather a "best practise" sort of

I've currently got a FreeRadius installation servicing a number of Cisco
units providing WPAv2 Auth against MS AD. This works great.

I need to expand my setup a bit, and am looking for guidance/advise as to
how best to configure the server to get what I want.

I can slip my users into two sets - a "head office" set, and a "regional"
set. The Head Office guys will need to be able to gain access anywhere, but
the regional guys will only need to get access to either one, or a couple of
networks in regional locations. E.g., Regional User 1 can access the network
in Region 1 only, but Regional User 2 can access the network in Regions 1 &

The Head Office guys are all authenticated by AD, and I'm planning on having
the Regional Guys stored in a Postgresql Database, probably with a matrix
arrangement to store the information relating to the regions they're allowed
access to.

Additionally, it would be good to be able to have two difference root CA's -
largely for political reasons.

So far, I'm thinking two domains each with a virtual server, an initial
proxy to hand requests to the two virtual servers based on domain, and then
a bit of perl moduling to determine which Regions each Regional guy is
allowed access to.

I'd be very grateful for advise/experience to streamline this a bit, or tell
me I'm an idiot and there's a much simpler way!

Many Thanks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list