Proxy decision based on LDAP lookups and Radius_client match.
Frank Skovboel
fs at secu.dk
Sun Oct 30 14:55:28 CET 2011
Hi Alan,
Thanks for the quick reply. As I said, I'm quite inexperienced with Freeradius so I have a few followup questions below.
> Frank Skovboel wrote:
> > I have been asked to build a radius proxy using freeradius, and I'm
> > completely new to freeradius, and with the flexibility in
> > freeradius I'm
> > having a hard time figuring out how to accomplish my goal, or if
> > it's
> > even possible to do.
>
> Pretty much anything is possible. :)
>
> > I imagine the flow is some thing like:
> > 1) User from Company A tries to login
> > 2) Company A's VPN sends a radius request to Freeradius
> > 3) Freeradius looks at the Radius_client IP and finds the right AD.
>
> See "man unlang"
Language seems straight forwards :-)
>
> > 4) Freeradius does an LDAP bind to Company A's AD, and checks if
> > the
> > user exists.
>
> if (Packet-Src-IP-Address == 1.2.3.4) {
> ldap_a
> }
> elsif (Packet-Src-IP-Address = 4.5.6.7) [
> ldap_b
> }
Where would I place this (what file under which section?), and do I need to do some thing special to make sure it does not try to authenticate the user?
>
> Configure two copies of the LDAP module. See raddb/modules/files
> for
> simple documentation on how this is done. Point ldap_a at the AD for
> company A, and ldap_b at the AD for company B.
>
> > 5) If user exists request is proxied to the OTP radius, if the user
> > does
> > not exists access-reject is sent from Freeradius.
>
> After the above config:
>
> if (!notfound) {
> reject
> }
> ... else proxy it ...
Where can I read about the response codes that I can expect on "found user" and "user not found" ?
"else proxy it" is that about using update control ?
--
Thanks,
Frank
More information about the Freeradius-Users
mailing list