Initial design question

Jure Simšič jure.simsic at
Thu Jul 1 10:32:22 CEST 2021

----- On Jun 30, 2021, at 3:14 PM, Alan DeKok aland at wrote:

>  TBH, for b1 and b2, I would just create two VMs, one for each system.  That way
>  you can create a "base" VM with FreeRADIUS, Samba, etc.  You can then customize
>  this VM with individual rules for each AD domain, and for each set of users.

Yes, that would significantly simplify the setup, have one for each AD winbind and/or LDAP on that AD.. So basically each backend method (aka winbind and ldap) needs a separate server otherwise it's hard to distinguish between requests or can you differentiate regarding which client sends the request? Separate servers seem cleaner..

>> 2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu
>> auth b1, 2) auth b2, @anything_else delegate. Where should this
>> actually be done? In a server configuration or in proxy.conf or where?
>  In proxy.conf.  There's documentation for Eduroam on

I've read this. There is one thing I'm not quite sure how to do - I go with two VMs for each AD, in the eduroam example the VLANs get assigned in post-auth for only two cases - home user or foreign user and that gets defined by checking  &control:Proxy-To-Realm. I'd need to have 3 setups - staff/student/other and in my case *student would also fall into &control:Proxy-To-Realm group as it'd have to be proxied to the other VM. Should I just define a new var in authorize section or hijack an unused one (like request:Operator-Name) and check&assign by this value?

>  Welcome to RADIUS.  :(  It's horribly complex, because people want to do
>  horribly complex things.

Yes, one does get the there-be-dragons feeling at first ;-) But it's getting much clearer now (there-might-only-be-frogs ;-)
Thanks a lot for the pointers!

Cheers, Jure

More information about the Freeradius-Users mailing list