On Wed, Apr 25, 2012 at 09:19:58AM -0400, David Peterson wrote:
> I have a more of an abstract question as to proxy functionality. Can you do
> the following:
>
>
> [email protected] password test
>
> bob.com -> proxy to localhost
> [email protected] - reply Access Deny
>
> This would be the norm for that realm, just deny everyone.
>
> Except for bob's boss:
>
> [email protected] password gooduser
> bob.com -> proxy to actual bob.com external AAA server.
>
> I hope this isn't a complete mess of a question.
Yes - proxying only happens if you hit the end of the authorize {}
section having set the Proxy-To-Realm control attribute.
So you can set/not set that, based on anything in the incoming
packet, to determine if it should be proxied or not.
Something like (completely untested)
if (User-Name =~ /whatever/) {
update control {
Proxy-To-Realm := 'externalaaa'
}
else {
reject
}
}
Then create realm 'externalaaa' in your proxy.conf file, as
normal.
There must be many ways to do this. Another possibility in your
users file -
[email protected] Proxy-To-Realm := 'whatever'
DEFAULT Auth-Type := Reject
Cheers,
Matthew
--
Matthew Newton, Ph.D. <[email protected]>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <[email protected]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
