Proxy requests on multiple backend Radius servers based on LDAP Group Membership
Mathieu CLAIR
mclair at protego.net
Mon Oct 15 16:16:05 CEST 2018
Hey there,
I'm trying to route Radius requests on 2 backend Radius servers based on
LDAP group membership. The purpose is to send Radius requests on the 1st
server when the user is a member of an LDAP group (example
CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd
Radius server.
I'm wondering if it's possible and what is the best way to do it.
I started to think about the folowing process :
- declare an LDAP filter like
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))
- use the filter (match not null ?) in the site
configuration
Something that sounds like bellow :
my_ldap_filter =
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))
authorize {
if (%{my_ldap_filter} != "") {
update control {
Proxy-To-Realm := 'Radius1'
}
}
else {
update control {
Proxy-To-Realm := 'Radius2'
}
}
}
I'm not sure about the syntax of this. Of course, I faced several errors
"Entry is not a reference to a module" when I start manually the freeradius
server. Do I need to use the LDAP module ?
Thank you for your answer
BR,
Mathieu
More information about the Freeradius-Users
mailing list