To proxy, or not to proxy, that is the question ...
Dean, Barry
B.Dean at liverpool.ac.uk
Thu Oct 15 12:42:47 CEST 2009
I currently run two virtual servers, one for our local secure wireless
and one for eduroam customers.
The local one receives RADIUS packets from Bradford Campus Manager,
which is responsible for Network Access Control and stamps Auth-OK
replies with the VLAN for the user.
What I want to do is combine these wireless services, so that we just
have eduroam.
The functionality we will need, will be:
The requests will come to the eduroam server address.
if (no domain specified) then
who are ya?
fi
if (domain is non-local) then
proxy to user's home site.
fi
if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped user at realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi
The part I am not sure how to do is the last part, a conditional proxy
based on source NAS. I assume I need to dip into unlang, but can I put
that into the proxy.conf file?
realm local.site.ac.uk {
if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
set-up A
else
set-up B
fi
}
Or whatever (I don't speak unlang, yet!), or have I got to determine
the source of the request somewhere else and use unlang to re-write
the realm to some special sentinel value that would be caught in
proxy.conf like:
realm local.site.ac.uk {
do the normal thing
}
realm special.local.site.ac.uk {
do the clever NAC proxy stuff
}
As usual, thanks for your time and hope someone can steer me in the
right direction before my head explodes.
(Yes I did read the docs, didn't help in this case!)
----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/ee326f28/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/ee326f28/attachment.txt>
More information about the Freeradius-Users
mailing list