To proxy, or not to proxy, that is the question ...

Thu Oct 15 17:13:23 CEST 2009

Thanks for this, and thanks to Bob Franklin to. I have something  
working now by selecting on client name and re-writing the User-Name  
to append "bcm", then proxying that alone to the NAC servers. This  
leaves all the config I had before for my existing domains alone.

I might try the other virtual server approach as well as that is quite  
neat.

All I need now is for the blasted NAC server to recognise me as a  
client and actually do something instead of ignoring me!

Thanks again.

(I now speak some unlang!)

On 15 Oct 2009, at 15:50, Alan Buxey wrote:

> Hi,
>
>> if (domain is local AND authenticating from a local NAS) then
>> 	authenticate locally by proxy to Bradford Campus Manager
>> 	(Campus Manager will receive the stripped user at realm as user and
>> proxy to the local server address)
>> else
>> 	authenticate and return ACK/NACK to remote server in usual way for
>> one of our users visiting remote site
>> fi
>>
>> The part I am not sure how to do is the last part, a conditional  
>> proxy
>> based on source NAS. I assume I need to dip into unlang, but can I  
>> put
>> that into the proxy.conf file?
>
> with 2.x ?   just ensure that clients are defined correctly - either  
> by
> doing as the other post said, or create a new virtual server (copy  
> your
> current one and rename it eg 'eduroam' and then define the proxies  
> as being
> handled by that server ie
>
> internal stuff -> [RADIUS server  {default/inner}] -> return  
> attributes etc
>
> external stuff -> [RADIUS server  {eduroam/inner}] -> no return  
> attributes etc
>
> look at the virtual_server definition in the clients.conf - that  
> says, basically,
> for any request from that client, slap it through that virtual server.
>
> this means you can actually have a very stripped down virtual  
> server... no need for
> anything wierd...anything coming from the proxies will be solely for  
> you (because
> the proxy has done the realm work already and decided on suitable  
> target) and
> you dont need to deal with settings VLANs etc. the only thing you  
> may want in place
> is an authorise section to deal with people who cannot remotely  
> authenticate - eg
> they've broken AUP or are infected with virus/reported as bad etc
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/d39ea6bd/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091015/d39ea6bd/attachment.txt>