Initial design question

Alan DeKok aland at
Thu Jul 1 14:29:13 CEST 2021

On Jul 1, 2021, at 4:32 AM, Jure Simšič via Freeradius-Users <freeradius-users at> wrote:
> Yes, that would significantly simplify the setup, have one for each AD winbind and/or LDAP on that AD.. So basically each backend method (aka winbind and ldap) needs a separate server otherwise it's hard to distinguish between requests or can you differentiate regarding which client sends the request? Separate servers seem cleaner..

  You use two VMs because it's a pain to run two copies of Samba on the same machine.  And you need two copies of Samba, because it will only join one AD domain.

  Once you decide to run two VMs, you'll see other benefits such as simplicity.

> I've read this. There is one thing I'm not quite sure how to do - I go with two VMs for each AD, in the eduroam example the VLANs get assigned in post-auth for only two cases - home user or foreign user and that gets defined by checking  &control:Proxy-To-Realm. I'd need to have 3 setups - staff/student/other and in my case *student would also fall into &control:Proxy-To-Realm group as it'd have to be proxied to the other VM. Should I just define a new var in authorize section or hijack an unused one (like request:Operator-Name) and check&assign by this value?

  I'm not really clear what you're trying to do here.  You're mixing up a solution with the problem description.  Which means it's hard to understand anything.

  You shouldn't need to proxy eduroam users to both VMs.

  Write down the problem description.  Write down how you determine a user is staff, or doing network device auth, etc.  Then write down the "unlang" rules to implement it.

  When you have a vague problem description, your solution is also vague.

  Alan DeKok.

More information about the Freeradius-Users mailing list