one RADIUS server per realm setup

Wed, 23 Jan 2008 20:14:20 -0800 

Hello all,
We are trying to set up a cross-auth proxy setup between our five RADIUS servers in different realms at five different institutions, so that any active student, staff, or faculty from any of our institutions can go to any of the other institutions and log onto the network. This means that if a user from institution B comes to my institution, I want my RADIUS server to ask the RADIUS server over at institution B instead of using the local setup. I've gotten much of it working, both authorizing and authenticating against our LDAP database here, but something about the authorization step is unclear to me. At the moment, I have it set up so that if I get a login request, it checks to see if the user is a member of the correct group(s) (authorization), and THEN authenticates the user, checking the realm to see where it should send the request for authentication. This all works very well, except that the authorization step only works if the user is one of MY users. If the user is one of the other four-college users, then the authorization step fails (since the user doesn't exists in my LDAP database) and the user is rejected. So I think I need to do one of three things: 


   1. Proxy authorization as well - it's not clear how to do this. Can 
you? I'd really just like to forward the entire request elsewhere, 
before anything else happens, so I'd like to check the realm FIRST, and 
not do anything if it's not a local realm.
   2. Skip authorization entirely unless the user is a member of a 
specific realm. Again, it's not clear to me how to do this. Any ideas?


   3. something else I haven't thought of yet.


   This must be something other people do too, yes? We'd like to be 
able to do the authorization step, because I don't want, for instance, 
alumns or guest users, (who are in the LDAP database) to be able to log in.


   I'm currently using freeradius 1.0.2, but I can upgrade if I need to.

   Thanks for any help, and if more info is needed, just ask!

--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to