Trying to do proxy using realm and 2 VS

Vincent, Fabien fabien.vincent at coreye.fr
Thu Mar 28 16:43:07 CET 2013 

Hi all,

I'm currently working on a fresh FreeRadius 2.x install, in order to separate Radius auth for Administrators (Firewall, Routeurs & Switchs administration) and Customers access (VPN SSL / IPSec).

My first try was to rewrite all the config into virtual servers (previously, all was written into radiusd.conf :().

So what I did :

[root at server   /etc/raddb]$ ll sites-enabled/
total 0
lrwxrwxrwx. 1 root root 33 Mar 19 12:01 administrator -> /etc/raddb/sites-available/administrator
lrwxrwxrwx. 1 root root 43 Mar 26 18:16 customer -> /etc/raddb/sites-available/coreye_customers

This is my two VS :

server administrator {
# Authenticate / Authorize listener
        listen {
                ipaddr = *
                port = 1600
                type = auth
        }
# Accounting listener
        listen {
                ipaddr = *
                port = 1601
                type = acct
        }
[...]


server customer {

# Authenticate / Authorize listener
        listen {
                ipaddr = *
                port = 1602
                type = auth
        }
# Accounting listener
        listen {
                ipaddr = *
                port = 1603
                type = acct
        }
[...]

And in order to proxy, I want to forward using proxy depending realm (proxy.conf)

realm ".*customer$" {
        virtual_server = customer
}

realm ".*admin$" {
        virtual_server = administrator
}

realm NULL {
        virtual_server = administrator
}


But when logging into Radius, it works for VS Administrator (login admin or user at admin), but if I try using login at customer, it's never proxy to virtual server customer.

I tried different methods always shown in the mailing list, but no way, it's never working ...

Proxy to realm into authorize section :
if (Realm == customer) {
                        update control {
                                Proxy-To-Realm := customer
                        }
                }

Not working ... The request is always managed by administrator vs.
Always played using dynamic clients example and FreeRADIUS-Client-Virtual-Server = "customer", but not working again.

I suspect the problem located in my NAS MySQL table, where "server" column is forced to virtual server "administrator"

Is anything I missed to do ? What's the best solution to do this kind of configuration when nas are stored in MySQL DB, and some of the nas clients could be used by different virtual servers ? What the is the best way to have a single radius IP server, and two different virtual servers with two different set of rules ?

Thanks in advance for your help !

Fabien VINCENT
http://www.coreye.fr<http://www.coreye.fr/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130328/bd69f203/attachment.html>

More information about the Freeradius-Users mailing list