Proxying only specific requests within a single realm

Tony Skalski ajs at
Thu May 20 17:58:01 CEST 2021

We are migrating from NPS to FreeRADIUS this summer for our eduroam
wireless network. During a transition period I need to proxy clients using
the old configuration to the NPS servers. I am doing this based on outer
identity - the old config lacks outer identity configuration while the new
one specifies anonymous-202106. This is the logic from the outer tunnel
authorize section:

        if  (&User-Name == "anonymous-202106" || &User-Name == "
anonymous-202106 at" || &User-Name == "STOAD\anonymous-202106") {
                # Authenticate the request locally
        } elsif (&User-Name =~ /stolaf\.edu/ || &User-Name =~ /STOAD/) {
                update {
                        control:Proxy-To-Realm := 'nps_servers'
                        request:Operator-Name := "1${operator_name}"

The above works well for our old and new client configs. (There is some
additional logic not shown for the case of eduroam guests.)

We have one local realm, If I configure this as a realm in
proxy.conf, FR tries to authenticate all requests, from old and new
clients. If I comment it out, I do not get a realm in my log messages for
local authentications (i.e. new clients).

Is my approach above sound? Is there a better way of achieving the above
goal using realm config or something else?


*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057

More information about the Freeradius-Users mailing list