To proxy, or not to proxy, that is the question ...

[Bob Franklin]

On Thu, 15 Oct 2009, Dean, Barry wrote:

> if (domain is local AND authenticating from a local NAS) then
> 	authenticate locally by proxy to Bradford Campus Manager
> 	(Campus Manager will receive the stripped user at realm as user and
> proxy to the local server address)
> else
> 	authenticate and return ACK/NACK to remote server in usual way for
> one of our users visiting remote site
> fi
>
> The part I am not sure how to do is the last part, a conditional proxy 
> based on source NAS. I assume I need to dip into unlang, but can I put 
> that into the proxy.conf file?

We're doing this by using a syntax in the client shortname ('client ... { 
shortname = ... }' in clients.conf).  We declare our RADIUS clients with 
names such as:

   <device>@<site>

So all our things are something at net.cam.ac.uk; things from internal 
colleges or departments are something at college.cam.ac.uk or whatever.  The 
things from JANET Roaming are jrsN at ja.net.

Then, we can do things like:

 	if ("%{Client-Shortname}" =~ /\.cam\.ac\.uk$/) {
 		# do something special when NAS in Cambridge
 	}

Using literal matching or regexps, we've found we can do all sorts of 
things here.

   - Bob


-- 
  Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
  Network Division, University of Cambridge Computing Service