Initial design question

Jure Simšič jure.simsic at forensis.si
Wed Jun 30 14:54:02 CEST 2021


Hi,

I'm trying to configure radius for an edu organisation that has the following needs:

a1. staff wifi (edu employees)
a2. eduroam wifi
a3. network devices auth for admins
a4. eth 802.1X auth in future

There are a couple of backends I need to authenticate to:

b1. staff is in MS AD - staffAD
b2. students have another AD not part of same AD domain, I need to auth them separately - studAD
b3. visiting students/lecturers get their auth via eduroam delegation to their home organisations

Additionally I have special needs for a3 that apart from the u/p I need to check if they are members of a particular group.

I've already set up the basics for b1 via winbind and it seems to be working via radtest. What I've managed to read in the various docs is that I can only authenticate to one AD via AD membership / winbind and also if I want to check group membership it has to be done via LDAP (can do it via ldapsearch). 

So I have a couple of questions on what is the correct way to set up all this:

1. should I make a separate server instance in sites-available for b1-3 (or even two for b1 if I need to do a separate LDAP auth for a3) and put each one on a separate port? 
2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu auth b1, 2) @student.edu auth b2, @anything_else delegate. Where should this actually be done? In a server configuration or in proxy.conf or where? 
3. I've already started editing files in mods-available (namely ldap) but it feels wrong to do it there on the master files. Should I make a copy for each LDAP server in mods and reference it somewhere or how do I make separate copies for different backends and ldap filters.. And how&where do I call the correct module for different ldap backends?

So am I correct in the assumption that I will need the following servers:
1. one winbind for a1 and a2 @edu realm that authenticate to b1
2. one ldap for a2 for @student.edu to b2
3. one ldap for a3 (and a4) to b1
4. one forwarder/proxy for a2 for @other

Thanks a lot for any pointers. I'm starting to get the feeling if I don't do this the proper way from the start I'm going to get entangled in a messy knot rather soon..

Cheers,
Jure


More information about the Freeradius-Users mailing list