Message: 1 Date: Sat, 31 Mar 2007 18:11:46 +0200 From: Alexander Papenburg <freeradius@papenb.org> Subject: add realm to user based on NAS-IP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <460E8842.5060302@papenb.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Hi all,i wonder if it is possible to add a realm to a username based on the NAS-IP the request come from.For instance: - user "abc" logs on router 10.0.0.1 - router 10.0.0.1 asks a freeradius proxy for user "abc"- freeradius-proxy recognize the ip and add "@realm" to the username and proxy the request to another freeradius-server based on "realm"-entry in proxy.confUnfortunatly I found many "solutions" in the past 2 hours (like proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the right one for me. %) So help would be much appreciated.Thanks in advance Alexander
If your using eap, you can't rewrite the username as then the username in the outer identity won't match the one in the eap tunnel and eap message will be rejected by your radius home server. Unless at your home server you strip the realm part
of the user-name attribute off againYour best bet for this is to use the users file and the proxy-to-realm 'check-item'.
so you'd have in the users file on your proxying radius server
DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = "MyRealm"
User-Name = "%{User-Name}@MyRealm"
Then add these to your hints file on your home radius server (though you
may have to rewrite them depending on the regex engine
your home server is using).
# Writes stripped username to use in authorization (user@|%|/domain)
DEFAULT User-Name =~ "^([[:alnum:]]*)(@|%|/)([[:alnum:].]*)$"
User-Name = "%{1}"
# Wrties alternate stripped username to use in authorization (domain\\user)
DEFAULT User-Name =~ "^([[:alnum:].]*)\\\\\\\\([[:alnum:]]*)$"
User-Name = "%{2}"
Hope this helps :)