Split authorization / authentication

Emmanuel BILLOT emmanuel.billot at ac-orleans-tours.fr
Wed Jun 13 15:35:30 CEST 2012


Le 13/06/2012 15:14, Alan DeKok a écrit :
> Emmanuel BILLOT wrote:
>> Is it possible to split authorization step as follow :
>>
>> - Considering we want to authorize user using EAP and MAC adresses
>> - http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
>> do EAP with one radius server and MAC address auth with another one ?
>    Yes, but it's generally a bad idea.  It adds complexity with no real
> purpose.
>
>    FreeRADIUS can be configured to do whatever you want.  It's best to
> keep everything in one server.
>
>    Look at the debug output to see *how* those packets are different.
> Then, write down how you want them to be handled.  Then, write the
> "unlang" to do it.
>
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok thanks for your answer. Possibly this is a bad idea but we have 
sometimes to work with obligations.
What module should i use to send MAC adresses to another radius server, 
and getting back ok/nok before testing EAP ?
Using unlang yes, but what directive should i use ? Proxy cannot be one 
because MAC adresse has no suffix.

-- 
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57



More information about the Freeradius-Users mailing list