Looking for general advice on how to configure a (somewhat complex) freeradius server

Alan DeKok aland at deployingradius.com
Fri Jan 11 13:01:20 CET 2019


On Jan 11, 2019, at 2:42 AM, R3DNano <r3dnano at gmail.com> wrote:
> 
> Thanks for your kind reply, Alan, it's been really helpful.

  Good.

> Forgive me if I'm being too dense here, but if I understand you correctly,
> you mean a good approach would be to create one virtual server per each
> client (at the end of the day you don't have that many ones, but sure their
> authentication methods might differ considerably between one and another),

  If the policies are completely different (VPN, WiFi, etc.), yes.

> set non-standard ports on each of them to listen to (since two virtual
> servers can't listen on the same port)

  No.  Please read the documentation I told you to read.  It describes how different clients can use different virtual servers.  That's why I asked you to read the documentation.

  raddb/sites-available/README

  See section 5.  This is *extensively* documented.

> and inside each server's authorize
> section, implement the unlang logic to use the correct authentication
> sources?

  Treat each virtual server as completely independent.  And put all of the rules for VPN into the VPN virtual server.

  In this situation, you can simplify the virtual servers to use *only* the necessary policies.  I've had good luck with creating virtual servers that are ~30 lines for each of authorize && authenticate.

  Once the *requirements* are minimized, the *implementation* can also be minimized.

  Alan DeKok.




More information about the Freeradius-Users mailing list