using freeRadius to authentic a user to access different sources with different configuration

[Fajar A. Nugraha]

On Tue, May 17, 2011 at 7:41 PM, Abbas Yazdanpanah
<yazdanpanah.a+freeradius at gmail.com> wrote:
> Dear Fajr
>
> I've read all the documents(it toke about 2 month for me to read and
> learn them)

It shouldn't take THAT long :P
If you have a problem, you can check whethere it's a known problem in the FAQ.
If it's not, follow instructions on
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

> The easiest solution to this scenario is using three separate
> freeRadius servers where first one is a proxy which duplicates the
> authentication request to the other servers and the other servers are
> responsible for AAA on each resource

Step back up a bit.

If you said "first one is a proxy which duplicates the authentication
request to the other servers", then there should be something that you
can use to determine which request go to which server, right? What is
that? Is it NAS-IP-address? Is it some other attribute? Whatever it
is, you need to know EXACTLY what the criteria is, and what the
desired response should be. Like Alan said, use words relevant to
radius (like the attribute "NAS-IP-address", or "Realm", or whatever
your criteria is) instead of saying "I have two resources, the first
one the is Internet and the second is an intranet"

Next, you might want to look at unlang
(http://freeradius.org/radiusd/man/unlang.html). Basically if you
already know the criteria, you can use simple if-else block to return
correct response.

Last, if you already know how to implement a proxy and two separate
freeradius servers to solve your problem, you can just use virtual
servers. Start by reading proxy.conf (to understand how to pass a
request to a virtual server) as well as sites-available/inner-tunnel
and sites-available/virtual.example.com (to see examples of virtual
server configurations).

-- 
Fajar