Jacques Caruso <[EMAIL PROTECTED]> wrote: > I have set up two FreeRADIUS (0.8.1, Debian packages recompiled) > servers, with a MySQL replicating backend. Since we provide a local PoP > for a national ISP, I need to proxy requests to their RADIUS server. The > problem is, they don't use any realm for their users.
The best thing to do would be to convince them that using a realm for logins would be the best thing. That's how everybody else in the world does it. > The best solution would have been thus (IMHO) to try to > authenticate from the SQL DB, and if that failed, to forward the > request to their RADIUS. I disagree. You only want to authenticate users who are in your local domain. All other users should skip authentication, and go directly to proxying. The solution would be to put all of *your* users into a Unix group. You can then do: DEFAULT Group == "myusers", Auth-Type := System # NO fall-through! DEFAULT Proxy-To-Realm = "otherguy" That way, the 'authorize' section discovers who owns what user, and picks one of local authentication, or proxying. This won't work, however, if one of their users has the same name as one of your users. This is why everyone uses realms... > Another question is about post-proxying : I originally configured the > RADIUS to send back a 'Framed-IP-Address' parameter based on the port > number of the NAS (avoids me the hassle of rummaging through the radacct > logs to find who had that IP at that hour), and an > 'Ascend-Maximum-Channels' parameter to please the broken NAS. The home > server, of course, doesn't If your RADIUS server is the one next to the NAS boxes, then it doesn't matter what the home server sends you. > I've been unable to find any > information about mangling server responses except two short posts on > the mailing list saying these functions should be available in the > pre-0.8 snapshots[1]. Fine ! I run on 0.8.1, so I should have those > magical functions, but I didn't find them, even after grepping the docs > directory like a maniac. Could someone just point me at the right > document ? The current CVS head has these. Hmm.. Monaco... I'll probably be in Nice in June. That's just down the road... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
