high level design question

Matt Zagrabelny mzagrabe at d.umn.edu
Fri Oct 14 00:36:14 UTC 2022


Hey Alan,


On Thu, Oct 13, 2022 at 6:18 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Oct 13, 2022, at 5:22 PM, Matt Zagrabelny via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I'm standing up a new RADIUS server that needs to proxy requests to both
> > single and two factor RADIUS systems. I am looking for some feedback on
> my
> > design.
> >
> > I'd like the option to configure local clients to either single factor or
> > two factor auth.
>
>   OK.
>
> > The proxy server I set up could listen on 1812 and 1814. Clients that
> > need/want single factor auth will request to 1812 and clients that
> > need/want two factor auth will request to 1814. With corresponding acct
> > listening on 1813 and 1815.
> >
> > Is this sensible? Are there any standard FR configurations for working
> with
> > clients to proxy to different RADIUS servers?
>
>   You don't need different ports.  You can just put the clients into a
> group.   You can use a DB, or add extra information to the "client" section:
>
> client foo {
>         ipaddr = ...
>
>         group = group1
> }
>
> client bar {
>         ipaddr = ...
>
>         group = group2
> }
>
>
>         and then do:
>
>         if ("%{client:group}" == "group1") {
>                 ... proxy to server1
>         }
>         elsif ("%{client:group}" == "group2") {
>                 ... proxy to server2
>         }
>

Cool. I suppose I was overengineering the design thinking that there might
be more than one application on a host where app1 wants single factor auth
and app2 wants two factor auth.

That probably isn't a likely scenario.

So... thank you for the sensible design!

-m


More information about the Freeradius-Users mailing list