Dovelet wrote:
Hi all,
I am new in FreeRadius and I hope someone can kindly help me. I have several
questions:
Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy
server. I know Realm can do it but I found that to use Realm, the user needs
to append the domain @xxx.com (i.e. [EMAIL PROTECTED]) at the end. Is it true?
Can I skip the domain @xxx.com? (i.e. user just type the username [user01]
and the FreeRadius can proxy to another RADIUS server).
Yes, see the NULL entry in proxy.conf and set "ignore_null = no" on the
LAST one of any "realm blah" entries in radiusd.conf. Or, add an entry
to the users file setting Proxy-To-Realm (see below):
Q2) Can I setup a table in the FreeRadius server with username only so that
when the Application server request for authentication, the FreeRadius will
proxy to another RADIUS server only if the username is listed in the table?
Yes, try this:
modules
passwd userValid {
file = /etc/raddb/validusers
format = "*User-Name:~Group"
}
}
authorize {
preprocess
userValid
# other modules
users
# other modules
}
/etc/raddb/validusers:
user01:appserver1
user02:appserver1
user03:appserver2
user04:appserver2
/etc/raddb/users
# user must be in one group
DEFAULT Group !* ANY, Auth-Type := Reject
# If not using NULL realm
DEFAULT Proxy-To-Realm := "REALMNAME"
Q3) If Q2 is feasible, can I have several Application Servers and I limit
the users from the Application servers? i.e. If user01 login Appliation
server1, Application Server1 request the FreeRadius server. The FreeRaidus
server check the user01 is belongs to Application Server1 group and it proxy
the request to another RADIUS server.
Application Server1
- user01
- user02
Application Server2
- user03
- user04
Yes, see posts on just this topic (though not obviously so) a couple of
days ago:
http://lists.freeradius.org/pipermail/freeradius-users/2006-March/051600.html
Just out of curiosity, what is your app and upstream radius server?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
