FreeRadius + PI config

Andy · September 19, 2022, 12:29pm

Hi we have installed PI 3.7.3 on one server and FreeRadius plugin on next.

How can configure FreeRadius plugin to “know” about PI server?

Is it in rlm_perl.ini file?

URL = https://localhost/validate/check ?

In my case it should be

URL = https://my_PIserver_IPvalidate/check
right ?

Regards

cornelinux · September 19, 2022, 7:00pm

Welcome, to privacyIDEA. Have fun authenticating in a secure way.

Yes, it would be in rlm_perl.ini

URL = https://your.next.server/validate/check

Regards
Cornelius

Andy · September 20, 2022, 10:50am

Thanks a lot for answer
It works like a charm

A few question:

If we wanna use more than one realm and resolver what way it can be define in rlm_perl.ini file REALM = one, two, etc… RESCONF = one, two, etc and what order they applied?
How can we customize portal for users? Is it possible?
Is it possible restrict users to login via browser in portal PI for enroll tokens? Can we manage access according AD groups membership?
Is the are way to change www server (from apache to nginx) w/o reinstall?
Regards

cornelinux · September 20, 2022, 6:50pm

only one

Yes. it is in the online docs.

dont quite understand what you mean. i assume: yes.

keep database and config.
remove apache
install nginx

Kurshad · August 18, 2025, 2:02pm

Hello.I have the same issue.I have one realm ,but I’d like to define different resolvers for different organization units(OU’s) under the same domain name in AD.If it could be,do i have to change anything in rlm_perl.ini file?I want to filter resolvers while a AD user makes a response from fortigate-freeradius and PI..I hope I could explain what i mean.Thank you
This is my perl.ini file

[Default]
URL = https://localhost/validate/check
REALM = k******m
#RESCONF = k*i*i*l*r
SSL_CHECK = false
#SSL_CA_PATH =
#DEBUG = true

#[Mapping]
serial = privacyIDEA-Serial

[Mapping user]
# The Mapping is used to add attributes to the RADIUS response.
# The value is read from the privacyIDEA response.
# In this case the content of the privacyIDEA response
#   detail->user->group
# will be written to the RADIUS response attribute "Class".
group=Class


[Attribute Filter-Id]
# With the multivalue attributes in the user response of privacyIDEA
# we can also do an attribute mangling.
# privacyIDEA may return a value like
#   detail : { user : { acl : ["CN=vpn-user,ou=sales,dc=example,dc=com",
#                                   "CN=domain users,ou=sales,dc=example,dc=com"]}}}
#
# The below example would match the privacyIDEA userAttribute "acl" and check if the
# value matches the regex. If it does, it will add the substring $1 as the
# "Filter-Id" to the RADIUS response.
# The ini file can contain several "Attribute" groups, to add several RADIUS attributes
# to the response.
#


#dir = user
#userAttribute = acl
#regex = CN=(\w*)-user,OU=sales,DC=example,DC=com
#prefix =
#suffix =

[Attribute Fortinet-Group-Name]
dir = user
[Attribute Fortinet-Group-Name]
dir = user
userAttribute = group
regex = CN=(.*?),.*


[Attribute otherAttribute]
# If you want to have more mapping rules for a RADIUS attribute you
# can give the section an arbitrary name and use the key "radiusAttribute".
#
# This example will set the Filter-Id to "FIXEDValue" if the user is located in
# resolver1.
#
#radiusAttribute = Filter-Id
#userAttribute = user-resolver
#regex = resolver1
#prefix = FIXEDValue
[Attribute Class]
# This example will add the RADIUS Attribute Class = SomeOtherValue
# if the user is in the resolver "myResolverName".
#
#userAttribute = user-resolver
#regex = myResolverName
#prefix = SomeOtherValue