How to proxy some requests to another Radius server in the same realm?
Alan DeKok
aland at deployingradius.com
Thu Oct 12 12:06:29 UTC 2023
On Oct 12, 2023, at 5:35 AM, Pietro N. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Our freeradius 3.2.1 for Eduroam (Radius2) receives requests from users in Active Directory (for example, SSID=staff-AD).
> We already have a primary Radius server (Radius1, different system) which usually handles the students' and staff requests (for example: SSID=students), which credentials are stored into the internal database.
>
> How can I forward the requests arriving to freeradius from students (who tried to use SSID=staff-AD, being rejected by AD), forwarding them to Radius1?
> How can I forward the requests arriving to freeradius from SSID=students, forwarding them to Radius1?
If both SSIDs are the same, then the better approach is to just use one SSID. Then based on LDAP group lookups, put the users into a "staff" VLAN or a "student" VLAN.
It's much simpler to configure, and much simpler to debug, test, and maintain.
This SSID can even be the eduroam SSID:
if (my domain)
if (staff)
put into staff vlan
else
put into student vlan
else if check bad / malformed domain
reject
else
proxy upstream to eduroam.
Most policies aren't much more complex than that. There are still details to work out, of course. But by writing policies in simple pseudo-code as above, you've simplified the problem into creating and testing each individual line of pseudocode.
Alan DeKok.
More information about the Freeradius-Users
mailing list