To proxy, or not to proxy, that is the question ...
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Thu Oct 15 16:50:16 CEST 2009
Hi,
> if (domain is local AND authenticating from a local NAS) then
> authenticate locally by proxy to Bradford Campus Manager
> (Campus Manager will receive the stripped user at realm as user and
> proxy to the local server address)
> else
> authenticate and return ACK/NACK to remote server in usual way for
> one of our users visiting remote site
> fi
>
> The part I am not sure how to do is the last part, a conditional proxy
> based on source NAS. I assume I need to dip into unlang, but can I put
> that into the proxy.conf file?
with 2.x ? just ensure that clients are defined correctly - either by
doing as the other post said, or create a new virtual server (copy your
current one and rename it eg 'eduroam' and then define the proxies as being
handled by that server ie
internal stuff -> [RADIUS server {default/inner}] -> return attributes etc
external stuff -> [RADIUS server {eduroam/inner}] -> no return attributes etc
look at the virtual_server definition in the clients.conf - that says, basically,
for any request from that client, slap it through that virtual server.
this means you can actually have a very stripped down virtual server... no need for
anything wierd...anything coming from the proxies will be solely for you (because
the proxy has done the realm work already and decided on suitable target) and
you dont need to deal with settings VLANs etc. the only thing you may want in place
is an authorise section to deal with people who cannot remotely authenticate - eg
they've broken AUP or are infected with virus/reported as bad etc
alan
More information about the Freeradius-Users
mailing list