How to proxy some requests to another Radius server in the same realm?

Matthew Newton mcn at freeradius.org
Thu Oct 12 10:25:49 UTC 2023 


On 12/10/2023 10:35, Pietro N. via Freeradius-Users wrote:
> Our freeradius 3.2.1 for Eduroam (Radius2) receives requests from users in Active Directory (for example, SSID=staff-AD).
> We already have a primary Radius server (Radius1, different system) which usually handles the students' and staff requests (for example: SSID=students), which credentials are stored into the internal database.

OK... I think. So radius2 receives requests when a user connects to the 
"staff-AD" SSID, and radius1 receives requests when connecting to the 
"students" SSID?


> How can I forward the requests arriving to freeradius from students (who tried to use SSID=staff-AD, being rejected by AD), forwarding them to Radius1?
> How can I forward the requests arriving to freeradius from SSID=students, forwarding them to Radius1?

You need to do a few things

- configure radius1 as a client on radius2, and vice-versa

- configure proxy.conf on radius1 to add an entry for radius2, and 
vice-versa

- work out when a request should be proxied and set Proxy-To-Realm, 
either with unlang or by calling the realm module.

> When I think "forward" I guess use "proxy.conf" but when I think about authorization (rejected by AD) I guess I should act elsewhere (default?).

You don't proxy after you have a failed authentication. You need to work 
out if proxying is required beforehand. Many sites will have different 
username (or realm) formats which can be used. Alternatively you can 
look the user up in a database (such as LDAP if you are using AD).

Simple example for radius1, add a clients.conf entry:

   client radius2 {
     ipaddr          = 10.0.0.2
     secret          = longsecretfromradius2
   }

and a proxy.conf entry

   realm radius2 {
     authhost  = 10.0.0.2:1812
     secret    = longsecretfromradius1
   }


then in sites-available/default add something to the authorize{} section 
to proxy if needed

   split_username_nai

   if (&Stripped-User-Domain && &Stripped-User-Domain == 
"students.example.it") {
     update control {
       &Proxy-To-Realm := "radius1"
     }
   }

Add similar, but opposite, to radius2. Be careful to get the logic 
correct so you don't create loops.

That example looks at the realm, but you can use any tests to determine 
whether to set Proxy-To-Realm or not.

-- 
Matthew

More information about the Freeradius-Users mailing list