Skip to content

FreeRADIUS for a Combined IdP and SP

This example shows how FreeRADIUS 3.x can authenticate local users while proxying foreign realms to the federation.

Local Realms

In proxy.conf, mark local realms so they are not proxied:

realm institution.ac.ke {
    nostrip
}

realm students.institution.ac.ke {
    nostrip
}

Proxying Foreign Realms

Define upstream federation servers and a catch-all realm. Exact IPs, secrets, and server names must match federation-provided values.

home_server kenet_eduroam_primary {
    type = auth+acct
    ipaddr = 196.0.0.10
    port = 1812
    secret = <federation-shared-secret>
    response_window = 20
    zombie_period = 40
    status_check = status-server
}

home_server kenet_eduroam_secondary {
    type = auth+acct
    ipaddr = 196.0.0.11
    port = 1812
    secret = <federation-shared-secret>
    response_window = 20
    zombie_period = 40
    status_check = status-server
}

home_server_pool kenet_pool {
    type = fail-over
    home_server = kenet_eduroam_primary
    home_server = kenet_eduroam_secondary
}

realm DEFAULT {
    pool = kenet_pool
    nostrip
}

Use the exact addressing and policy supplied by the federation operator. The addresses above are examples only.

Authorize Flow

In sites-enabled/default, keep realm processing in the authorize section:

authorize {
    preprocess
    filter_username
    suffix
    eap
    ldap
    files
    expiration
    logintime
}

The suffix module determines whether a request matches a local realm or should be proxied.

Authentication and Proxy Behavior

For local users:

  • EAP is terminated locally
  • credentials are validated against LDAP, AD, SQL, or local policy
  • local authorization is returned

For visiting users:

  • the outer EAP conversation is proxied based on realm
  • the home institution performs the actual credential validation
  • the local SP still enforces network policy after Access-Accept

Accounting

Combined deployments should store accounting locally and proxy accounting upstream where required by policy.

Example accounting section:

accounting {
    detail
    sql
}

Authorization Example

Apply different VLANs for local and visiting users:

post-auth {
    if (&Realm == "institution.ac.ke") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-Id := "10"
        }
    }
    elsif (&Proxy-To-Realm && &Realm != "institution.ac.ke") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-Id := "30"
        }
    }
}

Validate this against the capabilities of the wireless platform.

Operational Notes

  • do not proxy local realms upstream
  • do not use test certificates
  • validate both authentication and accounting paths
  • keep federation peer definitions under change control