Initial design question

[Jure Simšič]

----- On Jun 30, 2021, at 3:14 PM, Alan DeKok aland at deployingradius.com wrote:


> 
>  TBH, for b1 and b2, I would just create two VMs, one for each system.  That way
>  you can create a "base" VM with FreeRADIUS, Samba, etc.  You can then customize
>  this VM with individual rules for each AD domain, and for each set of users.
> 

Yes, that would significantly simplify the setup, have one for each AD winbind and/or LDAP on that AD.. So basically each backend method (aka winbind and ldap) needs a separate server otherwise it's hard to distinguish between requests or can you differentiate regarding which client sends the request? Separate servers seem cleaner..

>> 2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu
>> auth b1, 2) @student.edu auth b2, @anything_else delegate. Where should this
>> actually be done? In a server configuration or in proxy.conf or where?
> 
>  In proxy.conf.  There's documentation for Eduroam on http://wiki.freeradius.org
> 

I've read this. There is one thing I'm not quite sure how to do - I go with two VMs for each AD, in the eduroam example the VLANs get assigned in post-auth for only two cases - home user or foreign user and that gets defined by checking  &control:Proxy-To-Realm. I'd need to have 3 setups - staff/student/other and in my case *student would also fall into &control:Proxy-To-Realm group as it'd have to be proxied to the other VM. Should I just define a new var in authorize section or hijack an unused one (like request:Operator-Name) and check&assign by this value?

> 
>  Welcome to RADIUS.  :(  It's horribly complex, because people want to do
>  horribly complex things.
> 

Yes, one does get the there-be-dragons feeling at first ;-) But it's getting much clearer now (there-might-only-be-frogs ;-)
Thanks a lot for the pointers!

Cheers, Jure