Virtual Servers, the Realms Module, and Proxying

Jacob Dawson dawson at vt.edu
Thu Aug 4 22:18:02 CEST 2011


Well, we can certainly finagle that in Unlang, with a little thinking.  I played with that earlier in this project.  Happy to leave module/realm if that's the best route, and that means I can probably pull all of that out of proxy.conf, too.

I don't think we'll run into the internal proxy chain problem, since we're sending the inner tunnel off to IAS.  I'll keep this in mind if it seems to be randomly breaking, though. 

Thanks for the prompt response.
- Jacob

On 4 Aug 2011, at 15:54, Arran Cudbard-Bell wrote:

> The whole realms/ suffix/ prefix methodology has been obsoleted by Unlang.
> 
> If you load up policy.conf in the master branch (use GitHub) there's an example of proxying using unlang. Just re-parse the User-Name string each time a request comes into one of the Virtual Servers.
> 
> Incidentally, been down that route many years ago. I think you're maybe the second or third person on the list who's asked about this. Yes it's a brilliant way to organise the server. No it won't work out like you want it to.
> 
> FreeRADIUS does not have unlimited internal proxy hops. So if you have an outer listen server, which proxies to another outer server, with un-encapsulates EAP and proxies to an inner server, which proxies to another inner server, somewhere in that line of proxying you'll hit a random error and the request will fail.
> 
> I keep poking Alan to fix it, but he says its hard.
> 
> -Arran
> 
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
> 
> RADIUS - Half the complexity of Diameter
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list