Hi, This isn't a question about a problem, rather a "best practise" sort of thing...
I've currently got a FreeRadius installation servicing a number of Cisco units providing WPAv2 Auth against MS AD. This works great. I need to expand my setup a bit, and am looking for guidance/advise as to how best to configure the server to get what I want. I can slip my users into two sets - a "head office" set, and a "regional" set. The Head Office guys will need to be able to gain access anywhere, but the regional guys will only need to get access to either one, or a couple of networks in regional locations. E.g., Regional User 1 can access the network in Region 1 only, but Regional User 2 can access the network in Regions 1 & 2... The Head Office guys are all authenticated by AD, and I'm planning on having the Regional Guys stored in a Postgresql Database, probably with a matrix arrangement to store the information relating to the regions they're allowed access to. Additionally, it would be good to be able to have two difference root CA's - largely for political reasons. So far, I'm thinking two domains each with a virtual server, an initial proxy to hand requests to the two virtual servers based on domain, and then a bit of perl moduling to determine which Regions each Regional guy is allowed access to. I'd be very grateful for advise/experience to streamline this a bit, or tell me I'm an idiot and there's a much simpler way! Many Thanks, Rupert
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
