Jack Jackson wrote:
Dear All-
Excuse my ignorance. Our company uses RADIUS today for network (802.1x)
authentication. We're merging with another company who also uses RADIUS
for the same purpose. Is there a config document which shows how I can
configure Free Radius to proxy 2 completely different, existing RADIUS
servers to authenticate users.
The idea is that if one existing RADIUS server doesn't contain user
information, a second RADIUS server can be queried for user info.
Failing both lookups, the user will be declined.
I don't believe there's any function in the FreeRadius proxy code to
handle that.
Depending on the Auth-Type, it's a somewhat difficult thing to do; for
example with many EAP types, you might not know the auth has failed
(because the user doesn't exist or for any other reason) until after
several Access-Request/Access-Challenge pairs have been sent, and it's
too late to redirect the exchange by then.
I'd appreciate any helpful tips.
You will be far better off getting a list of users from the "other"
server and using a map in "your" server - e.g.
authorize {
preprocess
users
# other modules
}
users:
joeremote Freeradius-Proxied-To := theremoteserverip
johnremote Freeradius-Proxied-To := theremoteserverip
janelocal User-Password := "foo"
There are lots of better ways of doing this - see rlm_passwd or the SQL
modules, but you get the basic
idea.http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
