Hello,
We have a RADIUS server with a SQL backend running fine, authenticating
802.1X users to our Eduroam service.
We'd like to re-use the user database for purposes other than Eduroam.
We've got support for this in the SQL backend by it returning the status
of different services as being group memberships for a particular user
(e.g. a user who has Eduroam and dial-up access would be reported as being
in those groups in the usergroup table). This all appears to work fine.
However, because of the University's federated nature, individual colleges
and departments may run their own RADIUS servers and proxy the requests up
to ours (and possibly on to our proxies) for authentication and, possibly
confirm authorisation to user a particular service.
This relationship is not static and individual RADIUS clients may wish to
check the same user for different services at different points, so we
can't put a static configuration along the lines of 'this client is our
dial-up server and so we're checking for the dial-up group'). Also, we
don't wish to return the full list of enabled services with each request
but allow them to merely check individual services.
The way I can see to do this is allow clients to submit requests with a
custom local attribute (e.g. 'UCam-Requested-Service'). If this attribute
were present, we would fail the authentication if the user was not a
member of the appropriate group (but otherwise authenticated OK).
Before I embark on doing something along these lines, am I missing a
better way to go about things, or is there some mechanism already
available which would achieve this?
Thanks for any help or advice,
- Bob
--
Bob Franklin <[email protected]> +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
