To proxy, or not to proxy, that is the question ...

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Thu Oct 15 16:50:16 CEST 2009


Hi,

> if (domain is local AND authenticating from a local NAS) then
> 	authenticate locally by proxy to Bradford Campus Manager
> 	(Campus Manager will receive the stripped user at realm as user and  
> proxy to the local server address)
> else
> 	authenticate and return ACK/NACK to remote server in usual way for  
> one of our users visiting remote site
> fi
> 
> The part I am not sure how to do is the last part, a conditional proxy  
> based on source NAS. I assume I need to dip into unlang, but can I put  
> that into the proxy.conf file?

with 2.x ?   just ensure that clients are defined correctly - either by
doing as the other post said, or create a new virtual server (copy your
current one and rename it eg 'eduroam' and then define the proxies as being 
handled by that server ie

internal stuff -> [RADIUS server  {default/inner}] -> return attributes etc

external stuff -> [RADIUS server  {eduroam/inner}] -> no return attributes etc

look at the virtual_server definition in the clients.conf - that says, basically,
for any request from that client, slap it through that virtual server.

this means you can actually have a very stripped down virtual server... no need for
anything wierd...anything coming from the proxies will be solely for you (because
the proxy has done the realm work already and decided on suitable target) and
you dont need to deal with settings VLANs etc. the only thing you may want in place
is an authorise section to deal with people who cannot remotely authenticate - eg
they've broken AUP or are infected with virus/reported as bad etc

alan



More information about the Freeradius-Users mailing list