Freeradius proxy to IAS w/SQL attributes?
Alan DeKok
aland at deployingradius.com
Wed Nov 9 22:10:44 CET 2011
Rob Ansaldo wrote:
> We are already running a MS IAS Radius server that uses our AD, but what
> we would like to do is to use FreeRADIUS to proxy requests to our IAS
> server and add in some vendor specific attributes that we would set in a
> MySQL database.
That should be possible.
> The IAS server does not have these attributes, nor do we
> want to use the IAS server for them.
Or... you could just use FreeRADIUS for everything. :)
> What would be preferred is to set
> the attributes in the MySQL database based on other business logic.
> These are 802.1x wireless clients connecting to our wireless controller.
> I have successfully configured FreeRADIUS to proxy the requests from the
> wireless controller to our IAS server. Where I am having trouble is
> applying any sort of custom attributes to the response. I can see that
> the client username is being queried, a group is being obtained and the
> attributes for that group are being queried but they never appear in the
> Access-Accept.
You're doing the SQL lookup before the proxy. So the response from
IAS is overwriting it.
> The configuration uses the default configuration files, except that I
> have added my wireless controller to clients.conf, a DEFAULT proxy to
> the IAS server, uncommented the sql section in radius.conf and added the
> settings for my MySQL server.
That should *mostly* work. See below.
> Is what I am trying to do possible and if so, how would I go about it?
Yes. Delete "sql" from the "authorize" section. Instead, add it to
the "post-auth" section as "sql.authorize".
The SQL module will be queried *after* it receives the Access-Accept
from IAS. The SQL queries which are used will be the ones you've
already configured from "authorize", which seem to work.
Alan DeKok.
More information about the Freeradius-Users
mailing list