Utterly confused about realms/proxies

Sun Oct 5 12:41:53 UTC 2025

It's been years since  I used a mailing list, let's see how this reply turns out...

Many thanks for the response Alan! I found a page that describes changes to proxy for freeradius 4,

https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/protocols/radius/proxy_config.html

That page provided the hint I needed, which you've confirmed and expanded upon - their proxy example forwards everything and I didn't at first realise that I could just use conditionals to pick and choose.

So I'm well on my way now, their two Cisco ISE servers are in a pool, and I don't need to proxy our devices, they can be dealt with locally. I just need some of their devices on site to be able to test fully (I'm nowhere near the place physically).

As for test/dev, it's a little awkward, but our environment is VMWare so I can try things out and recover quickly if it all goes horribly wrong.

Thanks again!

________________________________
> A decade ago I setup up separate pairs of freeradius servers for wifi and for 802.1x switch port authentication (including VLAN switching), and they've worked very well - so well in fact that I've rarely had to make any changes and I've forgotten pretty much everything that I learned about radius at the time.

  That's good and bad.  :)

> But now we have a major change - another part of the organisation moving into our buildings, on our infrastructure, and we need to proxy out authentication for them to their Cisco ISE servers. I'm sure it's not difficult but I'm really struggling to achieve this (admittedly I have little time, and no dev/test system so I'm working on the live system out of hours).

  It's pretty simple to spin up a dev system or docker image.  Doing that is better than changing a live development environment.

> So let's say that using EAP-TLS I'm currently getting user-name in the form of host/device.US.example.com and host/device.THEM.example.com, how can I differentiate between US.example.com and THEM.example.com so that we continue to authenticate US, but proxy out to their Cisco ISE to authenticate THEM?

  A simple way is regular expressions.
        if (User-Name =~ /US.example.com) {
                update control {
                        Proxy-To-Realm := "realm1"
                }
        }

        ...

  Do that before the realm module, and it will see that the packet is already marked as being proxied.

> Post-auth isn't a problem, I know how to switch VLANs and/or accept/reject according to wifi SSID and user-name domain.
>
> I'm not looking for someone else to do this for me, but I'm reading the configs and getting nowhere - a hint would be much appreciated (is realms even the correct thing to use?), or a link to any place where there are examples of similar configurations (google is failing me, but then I'm not sure what terms to use, "multi-tenant" or similar?).

  It's just a mapping between names and realms.  You can do this via the realms module, or many other ways.

  The proxy.conf file defines "next hop" RADIUS servers, including home servers, pools, and realms.  The realms module maps domain names (example.com) to a realm in the proxy.conf file.

  Alan DeKok.

--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.

--------------------------------------------------------------------------------------------------------------------------------------------------------