Authenticate users from multiple realms on the same NAS

Scott Lambert lambert at lambertfam.org
Sat Aug 12 01:43:12 CEST 2006


On Sat, Aug 12, 2006 at 01:06:38AM +0200, Francois-Xavier GAILLARD wrote:
> Le Fri, Aug 11, 2006 at 06:09:21PM -0400, Alan DeKok ecrivait:
> > Francois-Xavier GAILLARD <fx.gaillard at thefox.com.fr> wrote:
> > > It's a bit tricky, any easier way Alan ?
> > 
> >   I'm not sure... the main problem is that multiple people with the
> > same name are dialing into the same NAS equipment.  So they really are
> > the "same" person, but with many possible valid passwords.
> > 
> >   It's a hard problem to solve cleanly.
> 
> And I'm not even sure my solution works. It's easy to look for
> Called-Station-Id, but how would one look for Called-Station-Id if
> it's not there (DSL users).
> 
> Maybe he should configure the NASes to send different NAS-IP-Address
> according to wheter it's a dialup user or a DSL user, using different
> loopback addresses, and then rewrite User-Name using NAS-IP-Address
> attribute.

I proabably wasn't clear, it's not the same NAS for DSL and dialup.
However, it is (going to be) the same NAS for DSL at all three ISPs.
Also, it will be the same, different, NAS for dialup in the towns where
coverage overlaps.  We have to use DS1s for dial in these areas and they
don't have caller id features so there is no Called-Station-Id.

Would I be able to setup three mysql entries in the way that Alan
suggested for the LDAP setup, but with a different query specified for
each realm which includes the realm in the selection criteria of query?

I need to find some time to get a test install up.  Or hire somebody to
build the initial config for me.

I just don't know how the accounting will hold together with any
solution.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org




More information about the Freeradius-Users mailing list