Initial design question

Alan DeKok aland at
Wed Jun 30 15:14:01 CEST 2021

On Jun 30, 2021, at 8:54 AM, Jure Simšič via Freeradius-Users <freeradius-users at> wrote:
> I'm trying to configure radius for an edu organisation that has the following needs:
> a1. staff wifi (edu employees)
> a2. eduroam wifi
> a3. network devices auth for admins
> a4. eth 802.1X auth in future
> There are a couple of backends I need to authenticate to:
> b1. staff is in MS AD - staffAD
> b2. students have another AD not part of same AD domain, I need to auth them separately - studAD

  That makes it a bit more difficult, but not impossible.

> b3. visiting students/lecturers get their auth via eduroam delegation to their home organisations
> Additionally I have special needs for a3 that apart from the u/p I need to check if they are members of a particular group.
> I've already set up the basics for b1 via winbind and it seems to be working via radtest. What I've managed to read in the various docs is that I can only authenticate to one AD via AD membership / winbind and also if I want to check group membership it has to be done via LDAP (can do it via ldapsearch). 


  You likely need to install two versions of Samba, as Samba can only join on AD domain at a time.

> So I have a couple of questions on what is the correct way to set up all this:
> 1. should I make a separate server instance in sites-available for b1-3 (or even two for b1 if I need to do a separate LDAP auth for a3) and put each one on a separate port? 

  TBH, for b1 and b2, I would just create two VMs, one for each system.  That way you can create a "base" VM with FreeRADIUS, Samba, etc.  You can then customize this VM with individual rules for each AD domain, and for each set of users.

> 2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu auth b1, 2) auth b2, @anything_else delegate. Where should this actually be done? In a server configuration or in proxy.conf or where? 

  In proxy.conf.  There's documentation for Eduroam on

> 3. I've already started editing files in mods-available (namely ldap) but it feels wrong to do it there on the master files.

  It's fine.  That's what revision control is for.  Use "git" to track changes to the files, and any problem you run into will be simple to solve:  just revert the configuration to a "known working" version.

  Plus, if you use "git", it's easy to put the configuration into one machine, and then "git clone" it to others.

> Should I make a copy for each LDAP server in mods and reference it somewhere or how do I make separate copies for different backends and ldap filters.. And how&where do I call the correct module for different ldap backends?

  If you use multiple VMs, you just have one LDAP module for each VM.

> So am I correct in the assumption that I will need the following servers:
> 1. one winbind for a1 and a2 @edu realm that authenticate to b1
> 2. one ldap for a2 for to b2
> 3. one ldap for a3 (and a4) to b1
> 4. one forwarder/proxy for a2 for @other
> Thanks a lot for any pointers. I'm starting to get the feeling if I don't do this the proper way from the start I'm going to get entangled in a messy knot rather soon..

  Welcome to RADIUS.  :(  It's horribly complex, because people want to do horribly complex things.

  Alan DeKok.

More information about the Freeradius-Users mailing list