We have a freeradius instance that talks to the world, and proxies requests to a back end server that does token authentication via the "otp" module. This all works fine. What we need is something we can do when a user forgets or loses their card. We thought to use S/key for this. To that end, I have another back end server that does s/key authentication via a PAM module. This too works, but I have to find a way to specify in the front end proxy on a per-user basis which back end server should be used.
The first step to doing this was to set up a realm for the s/key server. In the proxy.conf file for the front end proxy, the NULL realm has authhost and secret are set up for the otp back end server. I created an SKEY realm that sets authhost and secret for the s/key back end server. So far so good; I can run "radtest" against the front end proxy server, and if I specify "[EMAIL PROTECTED]" as the username, it proxies to the s/key back end and everything works great. The problem is that I can't figure out the magic incantation for the proxy front end to tell it that certain users should be in the SKEY realm. Am I basically on the right track as to the correct way to accomplish what I want? If so, what is the magic incantation to specify which users should be in the SKEY realm? If somebody could just point me down the right path, I'll be happy to read the relevant documentation to come up with the correct syntax, but I haven't found it yet. Thanks, --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
