I am working on free radius management System which I developing it with PHP language. my system will be available on the cloud, suppose there are company1 and company2 which will use our system. company1 will have database1 which will contain company1's clients company2 has database2 which will contain company2's clients. now what is the benefit or using of file proxy.conf in free radius I have read it but I don't understand. but I think this file is related to my problem, isn't it? can any one explain this file to me and how use it?
Asked
Active
Viewed 974 times
1 Answers
0
The proxy.conf file defines realms which are destinations for RADIUS traffic. Each realm may contain one or more sets of servers. The servers are grouped by the ones used to process accounting traffic (Accounting-Requests), and the ones used to process authentication traffic (Access-Requests).
One way of solving your problem would be to run three RADIUS servers, one as a frontend, and the other two as backends. One backend would then service company1, and the other would service company2. If you want to keep the companies isolated, that would be a good way to do it.
There are reasons to keep the company's RADIUS servers isolated beyond security - FreeRADIUS <= 3 is entirely synchronous except for proxying. This means that if your database goes down, and the worker threads are hung waiting for responses, then no new requests will be processed. e.g. if database1 goes offline authentication requests to company2 (database2) may be affected.
If the above issues aren't relevant, then it's likely simpler just to use multiple instances of the SQL module to talk to the different databases.
In mods-available/sql you can create multiple instances of the sql module by copying/pasting the existing text into the same file, and inserting the instance name between the module name and the opening curly brace, i.e. sql <instance> {.
You can then refer to the instance in sites-available/default.
An example of a virtual server configuration to select between the databases based on realm would be:
server default {
authorize {
# Splits the incoming username on @
split_username_nai
switch &request:Stripped-User-Domain {
case 'company1' {
sql_database_1
}
case 'company2' {
sql_database_2
}
}
}
...
}
Arran Cudbard-Bell
- 1,514
- 1
- 9
- 18
-
but how can I make this operation dynamically ie. if new company register a new account it's own database will be created and database's instance will insert to sites-available/default file automatically and its virtual server will be configured automatically – M.Bwe Aug 10 '17 at 07:42
-
You'd have to use a templating language to regenerate the server configuration, and restart FreeRADIUS. There's no way currently to dynamically add new module instances, or to dynamically select which module instance is executed. – Arran Cudbard-Bell Aug 10 '17 at 07:43
-
that mean I must insert it manual – M.Bwe Aug 10 '17 at 07:46
-
Yes, there's no way to do it dynamically. – Arran Cudbard-Bell Aug 10 '17 at 07:51
-
but when I configured it I must restart free radius server this will make an effect to company2 users ie. if I restarted free radius and there is user2 in company2 trying to login to his account he can not do that till server start – M.Bwe Aug 10 '17 at 07:56
-
I am so sorry but I can not find the file mods-available/sql where can I found it – M.Bwe Aug 10 '17 at 08:07
-
You need to install FreeRADIUS >= 3.0.0 (preferably 3.0.15). See packages.networkradius.com if your bistro does not have packages for this version. – Arran Cudbard-Bell Aug 10 '17 at 11:39
-
On debian the full path would be ``/etc/freeradius/mods-available/sql``, on RHEL/Centos everything else ``/etc/raddb/mods-available/sql``. – Arran Cudbard-Bell Aug 10 '17 at 11:40
-
Rather than using `split_username_nai` you might want to use an instance of the rlm_realm module. – DustWolf Sep 10 '21 at 11:13
-
No. That's incorrect. `rlm_realm` doesn't add `Stripped-User-Domain` it only adds `Stripped-User-Name`. It wouldn't work here. – Arran Cudbard-Bell Sep 10 '21 at 12:51