Initial design question
jure.simsic at forensis.si
Thu Jul 1 10:32:22 CEST 2021
----- On Jun 30, 2021, at 3:14 PM, Alan DeKok aland at deployingradius.com wrote:
> TBH, for b1 and b2, I would just create two VMs, one for each system. That way
> you can create a "base" VM with FreeRADIUS, Samba, etc. You can then customize
> this VM with individual rules for each AD domain, and for each set of users.
Yes, that would significantly simplify the setup, have one for each AD winbind and/or LDAP on that AD.. So basically each backend method (aka winbind and ldap) needs a separate server otherwise it's hard to distinguish between requests or can you differentiate regarding which client sends the request? Separate servers seem cleaner..
>> 2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu
>> auth b1, 2) @student.edu auth b2, @anything_else delegate. Where should this
>> actually be done? In a server configuration or in proxy.conf or where?
> In proxy.conf. There's documentation for Eduroam on http://wiki.freeradius.org
I've read this. There is one thing I'm not quite sure how to do - I go with two VMs for each AD, in the eduroam example the VLANs get assigned in post-auth for only two cases - home user or foreign user and that gets defined by checking &control:Proxy-To-Realm. I'd need to have 3 setups - staff/student/other and in my case *student would also fall into &control:Proxy-To-Realm group as it'd have to be proxied to the other VM. Should I just define a new var in authorize section or hijack an unused one (like request:Operator-Name) and check&assign by this value?
> Welcome to RADIUS. :( It's horribly complex, because people want to do
> horribly complex things.
Yes, one does get the there-be-dragons feeling at first ;-) But it's getting much clearer now (there-might-only-be-frogs ;-)
Thanks a lot for the pointers!
More information about the Freeradius-Users