Reject user without realm

Kevin Bonner keb at pa.net
Mon Apr 9 21:15:30 CEST 2007 

On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote:
> The problem I'm having is that if a user adds no realm, only the user,
> the server is autenticating locally. I wanted it to deny the
> authentication. How should I proceed?

A username with no realm will match the NULL realm.  You can reject NULL 
realms with:

== users ==
DEFAULT Realm == "NULL", Auth-Type := Reject
== users ==

> hints file. Added only the following entry:
> # The following entry is to be authenticated locally
> DEFAULT Suffix == "@domain1.com", Strip-User-Name = Yes
>         Hint = "PPP",
>         Service-Type = Framed-User,
>         Framed-Protocol = PPP

A realm definition for domain1.com and a small users file entry should do the 
same thing, as long as you don't add the nostrip option for the realm.

> rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58
>         User-Name = "user at provider1.com"
>         User-Password = "user"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   hints: Matched DEFAULT at 36
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "user", looking up realm NULL
>     rlm_realm: No such realm "NULL"

This request matches the NULL realm, which should be impossible based on your 
configuration and the description of how the NULL realm works.  The User-Name 
has a realm in this request, so it should match the DEFAULT realm if it is 
defined.  Since the hints file matched at line 36 here, I assume you actually 
configured provider1.com instead of domain1.com in your hints file.

Is this assumption correct?  If not, what is in your hints file at line 36?

Kevin Bonner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070409/51be8a81/attachment.pgp>

More information about the Freeradius-Users mailing list