Awesome thanks! I will likely be in testing mode on this in the near future so I will update the list when I get to that stage.
David -----Original Message----- From: Matthew Newton [mailto:m...@leicester.ac.uk] Sent: Wednesday, April 25, 2012 9:57 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Proxy Question On Wed, Apr 25, 2012 at 09:19:58AM -0400, David Peterson wrote: > I have a more of an abstract question as to proxy functionality. Can > you do the following: > > > b...@bob.com password test > > bob.com -> proxy to localhost > b...@bob.com - reply Access Deny > > This would be the norm for that realm, just deny everyone. > > Except for bob's boss: > > b...@bob.com password gooduser > bob.com -> proxy to actual bob.com external AAA server. > > I hope this isn't a complete mess of a question. Yes - proxying only happens if you hit the end of the authorize {} section having set the Proxy-To-Realm control attribute. So you can set/not set that, based on anything in the incoming packet, to determine if it should be proxied or not. Something like (completely untested) if (User-Name =~ /whatever/) { update control { Proxy-To-Realm := 'externalaaa' } else { reject } } Then create realm 'externalaaa' in your proxy.conf file, as normal. There must be many ways to do this. Another possibility in your users file - b...@bob.com Proxy-To-Realm := 'whatever' DEFAULT Auth-Type := Reject Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html