Freeradius proxy to IAS w/SQL attributes?

Alan DeKok aland at
Wed Nov 9 22:10:44 CET 2011

Rob Ansaldo wrote:
> We are already running a MS IAS Radius server that uses our AD, but what
> we would like to do is to use FreeRADIUS to proxy requests to our IAS
> server and add in some vendor specific attributes that we would set in a
> MySQL database.

  That should be possible.

> The IAS server does not have these attributes, nor do we
> want to use the IAS server for them.

  Or... you could just use FreeRADIUS for everything. :)

> What would be preferred is to set
> the attributes in the MySQL database based on other business logic.
> These are 802.1x wireless clients connecting to our wireless controller.
> I have successfully configured FreeRADIUS to proxy the requests from the
> wireless controller to our IAS server. Where I am having trouble is
> applying any sort of custom attributes to the response. I can see that
> the client username is being queried, a group is being obtained and the
> attributes for that group are being queried but they never appear in the
> Access-Accept.

  You're doing the SQL lookup before the proxy.  So the response from
IAS is overwriting it.

> The configuration uses the default configuration files, except that I
> have added my wireless controller to clients.conf, a DEFAULT proxy to
> the IAS server, uncommented the sql section in radius.conf and added the
> settings for my MySQL server.

  That should *mostly* work.  See below.

> Is what I am trying to do possible and if so, how would I go about it?

  Yes.  Delete "sql" from the "authorize" section.  Instead, add it to
the "post-auth" section as "sql.authorize".

  The SQL module will be queried *after* it receives the Access-Accept
from IAS.  The SQL queries which are used will be the ones you've
already configured from "authorize", which seem to work.

  Alan DeKok.

More information about the Freeradius-Users mailing list