Re: Authentication accept/deny based on realm

[Alan DeKok <aland@deployingradius.com>]

Lisa Casey wrote:

> I am using  freeradius. I currently have two realms setup in mu users file
> with fallthrough=yes for both of them since the usernames/passwords are
> also
> in the users file and I need to be able to match on those. Currently, if
> username johndoe logs in as johndoe@realm1.com he gets accepted. If he then
> logs in as johndoe@realm2.com he will also get accepted since freeradius
> looks at the users file (and the realms file) finds the realm is valid,
> then
> goes on down the users file, finds the username/password valid, thus
> accepting the login.

  You have configured both realms to 'strip' the realm name.  This means
that after the realm matches, "johndoe" *is* the users name.  Since
you've done this for both realms, it means you've told the server that
the unique user identifier is "johndoe", and not "johndoe@realm1.com".

  The solution is to *not* strip the realm name.  You then have to go an
update your users file entries to have the full name, including realm.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog