high level design question

Alan DeKok aland at deployingradius.com
Thu Oct 13 23:12:50 UTC 2022


On Oct 13, 2022, at 5:22 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm standing up a new RADIUS server that needs to proxy requests to both
> single and two factor RADIUS systems. I am looking for some feedback on my
> design.
> 
> I'd like the option to configure local clients to either single factor or
> two factor auth.

  OK.

> The proxy server I set up could listen on 1812 and 1814. Clients that
> need/want single factor auth will request to 1812 and clients that
> need/want two factor auth will request to 1814. With corresponding acct
> listening on 1813 and 1815.
> 
> Is this sensible? Are there any standard FR configurations for working with
> clients to proxy to different RADIUS servers?

  You don't need different ports.  You can just put the clients into a group.   You can use a DB, or add extra information to the "client" section:

client foo {
	ipaddr = ...
	
	group = group1
}

client bar {
	ipaddr = ...
	
	group = group2
}


	and then do:

	if ("%{client:group}" == "group1") {
		... proxy to server1
	}
	elsif ("%{client:group}" == "group2") {
		... proxy to server2
	}

  Alan DeKok.



More information about the Freeradius-Users mailing list