Re: cascading Radius-Servers

William Bulley (web@merit.edu)
Tue, 17 Dec 1996 09:12:56 -0500 (EST)

According to Igor V. Semenyuk:
>
> Why not? One can add an AATV which will call (or do inline) Unix-PW
> AATV, and if negative, call (or do inline) [remote] RADIUS AATV. Both are
> implemented in 2.4.21.

As I understood the question, what was wanted was a "fall back" scenario.

If the first request was negative, the second request would be issued.

The problem with this is who "owns" the authentication credentials?

We use realms here so "user@foobah.org" is a user in the foobah.org realm.

If the realm foobah.org cannot authenticate the user, then there is no
"fallback" -- the user is not authenticated. There is no concept of a
user having two realms. Similarly, if there was, there would be no way
to indicate that to RADIUS.

> One thing I really miss in Merit's radius is accounting proxying/relaying.
> That is if I have a realm being authenticated on a remote server I also
> want accounting for users in this realm to passed to the same remote
> server or (am I asking too much?) to an alternate remote server.

We support accounting relaying just fine and have done so for over two
years now...

> I can see some hooks for this in the sources but they look incomplete to me.
>
> What about that?

They are in our enhanced version, what we used to call the LAS code.

Regards,

web...

-- 
William Bulley, N8NXN              Senior Systems Research Programmer
Merit Network, Inc.                Email: web@merit.edu
4251 Plymouth Road, Suite C        Phone: (313) 764-9993
Ann Arbor, Michigan  48105-2785    Fax:   (313) 647-3185

[ What's all the fuss over the end of the century with mission critial ] [ programs failing due to dates? If people simply started using Roman ] [ Numerials the problem vanishes! MCM = 1900 MCMXCIX = 1999 MM = 2000 ]