Utterly confused about realms/proxies
Stephen Mellor
Stephen.Mellor at nhs.scot
Sun Oct 5 09:08:26 UTC 2025
A decade ago I setup up separate pairs of freeradius servers for wifi and for 802.1x switch port authentication (including VLAN switching), and they've worked very well - so well in fact that I've rarely had to make any changes and I've forgotten pretty much everything that I learned about radius at the time.
But now we have a major change - another part of the organisation moving into our buildings, on our infrastructure, and we need to proxy out authentication for them to their Cisco ISE servers. I'm sure it's not difficult but I'm really struggling to achieve this (admittedly I have little time, and no dev/test system so I'm working on the live system out of hours).
So let's say that using EAP-TLS I'm currently getting user-name in the form of host/device.US.example.com and host/device.THEM.example.com, how can I differentiate between US.example.com and THEM.example.com so that we continue to authenticate US, but proxy out to their Cisco ISE to authenticate THEM?
Post-auth isn't a problem, I know how to switch VLANs and/or accept/reject according to wifi SSID and user-name domain.
I'm not looking for someone else to do this for me, but I'm reading the configs and getting nowhere - a hint would be much appreciated (is realms even the correct thing to use?), or a link to any place where there are examples of similar configurations (google is failing me, but then I'm not sure what terms to use, "multi-tenant" or similar?).
Thanks!
--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.
--------------------------------------------------------------------------------------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list