Proxying only specific requests within a single realm

Alan DeKok aland at
Thu May 20 18:24:07 CEST 2021

On May 20, 2021, at 11:58 AM, Tony Skalski via Freeradius-Users <freeradius-users at> wrote:
> We are migrating from NPS to FreeRADIUS this summer for our eduroam
> wireless network.

  Very nice!

> During a transition period I need to proxy clients using
> the old configuration to the NPS servers. I am doing this based on outer
> identity - the old config lacks outer identity configuration while the new
> one specifies anonymous-202106. This is the logic from the outer tunnel
> authorize section:
>        if  (&User-Name == "anonymous-202106" || &User-Name == "
> anonymous-202106 at" || &User-Name == "STOAD\anonymous-202106") {

  Wow... that "anonymous" username doesn't match RFC 7542.  But whatever.

>                # Authenticate the request locally
>                noop
>        } elsif (&User-Name =~ /stolaf\.edu/ || &User-Name =~ /STOAD/) {
>                update {
>                        control:Proxy-To-Realm := 'nps_servers'
>                        request:Operator-Name := "1${operator_name}"
>                }
>                return
>        }
> The above works well for our old and new client configs. (There is some
> additional logic not shown for the case of eduroam guests.)

  That's good to hear.

> We have one local realm, If I configure this as a realm in
> proxy.conf, FR tries to authenticate all requests, from old and new
> clients. If I comment it out, I do not get a realm in my log messages for
> local authentications (i.e. new clients).
> Is my approach above sound? Is there a better way of achieving the above
> goal using realm config or something else?

  There is no realm configuration which says "only proxy some things".  You have to add those rules yourself.

  One way is to define it as a realm in proxy.conf, run the "suffix" module, and then cancel proxying:

	if (I don't want to proxy for some reason) {
		update control {
			Proxy-To-Realm !* ANY

  Which deletes the "Proxy-To-Realm" attribute, and therefore doesn't do proxying.

  Alan DeKok.

More information about the Freeradius-Users mailing list