To proxy, or not to proxy, that is the question ...

Dean, Barry B.Dean at liverpool.ac.uk
Thu Oct 15 12:42:47 CEST 2009


I currently run two virtual servers, one for our local secure wireless  
and one for eduroam customers.

The local one receives RADIUS packets from Bradford Campus Manager,  
which is responsible for Network Access Control and stamps Auth-OK  
replies with the VLAN for the user.

What I want to do is combine these wireless services, so that we just  
have eduroam.

The functionality we will need, will be:

The requests will come to the eduroam server address.

if (no domain specified) then
	who are ya?
fi

if (domain is non-local) then
	proxy to user's home site.
fi

if (domain is local AND authenticating from a local NAS) then
	authenticate locally by proxy to Bradford Campus Manager
	(Campus Manager will receive the stripped user at realm as user and  
proxy to the local server address)
else
	authenticate and return ACK/NACK to remote server in usual way for  
one of our users visiting remote site
fi

The part I am not sure how to do is the last part, a conditional proxy  
based on source NAS. I assume I need to dip into unlang, but can I put  
that into the proxy.conf file?

realm local.site.ac.uk {
   if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
      set-up A
   else
      set-up B
   fi
}

Or whatever (I don't speak unlang, yet!), or have I got to determine  
the source of the request somewhere else and use unlang to re-write  
the realm to some special sentinel value that would be caught in  
proxy.conf like:

realm local.site.ac.uk {
	do the normal thing
}

realm special.local.site.ac.uk {
	do the clever NAC proxy stuff
}

As usual, thanks for your time and hope someone can steer me in the  
right direction before my head explodes.

(Yes I did read the docs, didn't help in this case!)

----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/ee326f28/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/ee326f28/attachment.txt>


More information about the Freeradius-Users mailing list