Join Log in
Score:0
Lord Kryx avatar Server

FreeRADIUS - How to RADIUS Proxy based on source IP?

kr flag
Lord Kryx

I am currently working on building a RADIUS Proxy solution with RHEL and FreeRADIUS. As I am expecting to integrate the solution with hundreds of RADIUS Clients and RADIUS Servers, the realm proxy function in FreeRADIUS covers a portion of use cases and eventually we will encounter usernames that will not have a UID or realm in it so I was thinking about identifying and proxying RADIUS Clients by their sources IP. I have been looking over the Internet for the past week about how to do it and I still cannot find any relevant examples or code lines on how to do it. Here is what I have so far:

For the expecting incoming RADIUS request packet, I have the following code lines in /etc/raddb/clients.conf:

client vpnserver {
ipaddr = 10.10.10.200
secret = RADIUS123!
}

In the /etc/raddb/proxy.conf file, I have the following code lines:

home_server mfaserver1 {
type = auth
ipaddr = 10.10.10.10
port = 1812
secret = RADIUS123!
}

home_server_pool mfaserver1_pool {
type = fail-over
home_server = mfaserver1
}

home_server mfaserver2 {
type = auth
ipaddr = 10.10.10.20
port = 1812
secret = RADIUS123!
}

home_server_pool mfaserver2_pool {
type = fail-over
home_server = mfaserver2
}

realm mfa1 {
auth_pool = mfaserver1_pool
}

In the /etc/raddb/sites-enabled/default file, I have the following code lines in the "authorize {}" section under "preprocess":

authorize {
preprocess
if (&Packet-Src-IP-Address == 10.10.10.200) {
       update control {
       Home-Server-Pool := "mfaserver2_pool"
           }
      }

So I am using the username "username@mfa1" and without the code lines in the /etc/raddb/sites-enabled/default file, the realm condition works properly and sends the RADIUS request packet to the mfaserver1 without any issues.

With the code lines added in the /etc/raddb/sites-enabled/default file, I still want the username to have the realm stripped but overwrite the proxy condition to says that regardless of the realm in the username, proxy the RADIUS request packet to mfaserver2 because you came from that source IP. Though, with many test performed, nothing happens and the RADIUS packet request is still being forwarded to the mfaserver1 regardless.

Am I writing the right code lines to do this? Is it in the right file? Do I need to add additional code lines in another file in /etc/raddb/?

184
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.