Hi Dusty,
Yeah, I had considered running two radiusd instances, actually, but it
felt less than ideal. Part of the problem is that our radius
infrastructure is spread across two dozen servers around the world, and
multiple radiusd's give us more moving parts (two /etc/raddb configs,
two sets of users files, two daemons to worry about, etc). We have some
tools to manage distribution of configs, users files, etc, but as-is
they would probably require significant changes. Hopefully I can make
freeradius do what I want... if not, I may end up taking your advice
;-) Thanks.
Dusty Doris wrote:
the request, which doesn't help me). The only thing the NAS can do
that is
"helpful" is send cert auth requests to a different UDP port than
regular
auth requests.
Perhaps there are new features that can take care of this for you in
one place, but if not, you can just run two radiusd instances. One
for "oldschool" and one for cert.
For example, say your raddb dir is in /etc/raddb now.
You would create two subdirs of that directory
mkdir /etc/raddb/oldschoool
mkdir /etc/raddb/cert
and perhaps for logging seperately as well
mkdir /var/log/radius/oldschool
mkdir /var/log/radius/cert
cp all the files from raddb to the two directories.
Modify the top of radiusd.conf to point to the new directories for
raddbdir, confdir, logdir, etc.. Modify the listen or port arguments
to make one listen on 1645 and the other on 1812.
Then modify the rest of it, such as the users file, to do what you
want for each seperate instance.
Then modify your startup script to fire off two instances using the -d
option, and make sure you get both instances as well no stop/restarts.
eg:
/pathto/radiusd -d /etc/raddb/oldschool
/pathto/radiusd -d /etc/raddb/cert
That will give you two seperate instances. One will be configured to
only handle oldschool logins and the other to only handle certs. It
will be another port/process you'll have to monitor, but it should
give you what you want.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
