Utterly confused about realms/proxies

Alan DeKok alan.dekok at inkbridge.io
Sun Oct 5 11:56:12 UTC 2025 

On Oct 5, 2025, at 5:08 AM, Stephen Mellor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> A decade ago I setup up separate pairs of freeradius servers for wifi and for 802.1x switch port authentication (including VLAN switching), and they've worked very well - so well in fact that I've rarely had to make any changes and I've forgotten pretty much everything that I learned about radius at the time.

  That's good and bad.  :)

> But now we have a major change - another part of the organisation moving into our buildings, on our infrastructure, and we need to proxy out authentication for them to their Cisco ISE servers. I'm sure it's not difficult but I'm really struggling to achieve this (admittedly I have little time, and no dev/test system so I'm working on the live system out of hours).

  It's pretty simple to spin up a dev system or docker image.  Doing that is better than changing a live development environment.

> So let's say that using EAP-TLS I'm currently getting user-name in the form of host/device.US.example.com and host/device.THEM.example.com, how can I differentiate between US.example.com and THEM.example.com so that we continue to authenticate US, but proxy out to their Cisco ISE to authenticate THEM?

  A simple way is regular expressions.

	if (User-Name =~ /US.example.com <http://us.example.com/>) {
		update control {
			Proxy-To-Realm := "realm1"
		}
	}

	...

  Do that before the realm module, and it will see that the packet is already marked as being proxied.

> Post-auth isn't a problem, I know how to switch VLANs and/or accept/reject according to wifi SSID and user-name domain.
> 
> I'm not looking for someone else to do this for me, but I'm reading the configs and getting nowhere - a hint would be much appreciated (is realms even the correct thing to use?), or a link to any place where there are examples of similar configurations (google is failing me, but then I'm not sure what terms to use, "multi-tenant" or similar?).

  It's just a mapping between names and realms.  You can do this via the realms module, or many other ways.

  The proxy.conf file defines "next hop" RADIUS servers, including home servers, pools, and realms.  The realms module maps domain names (example.com) to a realm in the proxy.conf file.

  Alan DeKok.

More information about the Freeradius-Users mailing list